The Relevance of Risk

Based Thinking
in ISO 9001:2015 and ISO
14001:2015

March 4, 2016
Our webinar will begin at
1:00 PM

1
 The Relevance of Risk
Based Thinking
in ISO 9001:2015 and ISO
14001:2015

Carmine Liuzzi

2
Manage risk.
Facilitate innovation.
Now you can do both.

3
3
 Presenter

Carmine Liuzzi
Industry Leader
Learning & Improvement Solutions

• 23-year veteran with SAI Global

• Master’s degree In polymer chemistry from Long Island University and a
bachelor’s in biochemistry from Manhattan College
• Areas of specialty include ISO 9001, ISO 14001, ISO/TS 16949 and OHSAS
18001, as well as process improvement techniques
• Exemplar Global certified Lead Auditor for Quality and Environmental
Management Systems, Automotive expert, including ISO/TS 16949, APQP,
PPAP, FMEA, MSA
• Coaches clients in all aspects of developing, implementing and integrating
management systems, and provides services that range from training and
consulting support to leading internal assessment teams
4
 Webinar Objectives

• Discuss the concept of “risk management”

• To understand the requirements for risk identification and control in
ISO 9001:2015 and ISO 14001:2015
• Potential methods to evaluate and prioritize risk

5
 ISO Standards and “Risk-based thinking”

• The concept of risk has always been a component of ISO 9001 and
ISO 14001, by requiring the organization to plan its processes and
manage its business to avoid undesirable results.
• Organizations have typically done this by putting greater emphasis
on planning and controlling processes that have the biggest impact
on the quality of the products and services they provide.

6
 ISO Standards and “Risk-based thinking”

• The way in which organizations manage risk varies depending on

their business context (e.g. the criticality of the products and
services being provided, complexity of the processes, and the
potential consequences of failure)
• Use of the phrase risk-based thinking is intended to make it clear
that while an awareness of risk is important, formal risk-
management methodologies and risk assessment are not
necessarily appropriate for all business situations and
organizations.

7
 ISO Standards and “Risk-based thinking”

• Risk is the effect of uncertainty on an expected result and the

concept of risk-based thinking has always been implicit in ISO 9001
and ISO 14001
• The 2015 revisions to ISO 9001 and ISO 14001 makes risk-based
thinking more explicit and incorporates it in requirements for the
establishment, implementation, maintenance and continual
improvement of management systems
• Now includes identification of opportunities

8
 Risk-based thinking

• Basis for increasing the effectiveness of the management system,

achieving improved results and preventing negative effects
• Risk is the effect of uncertainty which can have negative or positive effects
• Actions taken to address opportunities can also include considerations of
associated risk

9
 Risk-based thinking

• Consideration of risk is essential for achieving an effective

management system
• The concept of risk-based thinking has always been implicit in
ISO standards in the requirements for preventive action
• Any organization needs to plan and implement actions to
address risks and opportunities

10
 Sustainable Business Success & Risk

• Being aware of the organization’s environment, effectively managing

opportunities and risks, learning from experience, and applying
improvement and innovation
• Corporate sustainability is a business approach that creates long-term
shareholder value by embracing opportunities and managing risks deriving
from economic, environmental and social developments.

Source: ISO 9004:2009

11
 Taking A Risk Based Approach is Not A Risk
Management System

• Risk-based thinking ensures risk is considered from the beginning and

throughout the entire Management System
• Risk-based thinking is supported by the PDCA process approach
• Risk-based thinking makes preventive action part of strategic and
operational planning
• Neither 9001 or 14001 require a fully functional Risk Management
Activities to meet the requirements
• A documented procedure is not required

12
 ISO 31000:2009 “Risk Management - Principles
and Guidelines on Implementation”

• The purpose of ISO 31000:2009 is to provide principles and generic

guidelines on risk management.
• The intent of ISO 31000 is to be applied within existing management
systems to formalize and improve risk management processes
• ISO 31000 is a useful reference for organizations that want or need a more
formal approach to risk
• Its use is not a requirement

13
 ISO 31000:2009 “Risk Management - Principles
and Guidelines on Implementation”

• ISO 31000 provides a framework for organizations to deal with their

identified risks.
− Avoiding the risk by deciding not to start or continue with the activity
that gives rise to the risk
− Accepting or increasing the risk in order to pursue an opportunity
− Removing the risk source
− Changing the likelihood
− Changing the consequences
− Sharing the risk with another party or parties (including contracts and
risk financing)
− Retaining the risk by informed decision

14
Risk-based Thinking

• Organizations are required to understand their context (clause 4.1)

and determine the risks and opportunities that need to be addressed
as a basis for planning (clause 6.1)
• This represents the application of risk-based thinking to the planning
and implementation of QMS / EMS processes (clause 4.4).
• No requirement for formal methods for risk management or a
documented risk management process
• One of the key purposes of a management system is to act as a
preventive tool

15
Where is Risk referenced in ISO 9001:2015

• Clause 4.4 f) - QMS and its processes - determine the risks and
opportunities in accordance with the requirements of 6.1.1 (see below)
and plan and implement the appropriate actions to address them
• Clause 5.1.1d) promoting the use of the process approach and risk
based thinking
• Clause 5.1.2 b) Customer Focus - the risks and opportunities that can
affect conformity of products and services…..
• Clause 6.1.1 & 6.1.2 - Actions to address risk and opportunities..
proportionate to the potential impact…..
• 8.1 Operational planning and control - review the consequences of
unintended changes taking action to mitigate any adverse effects, as
necessary Isn't this Risk?

16
Where is Risk referenced in ISO 9001:2015

• 8.3.3 Design and development Inputs - e) the potential

consequences of failure due to the nature of the products and
services Isn't this Risk?
• Clause 8.5.5 Post-delivery activities – in determining post-delivery
activities that are required, the organization shall consider the
potential undesired consequences Isn't this Risk?
• Clause 9.1.3e) the effectiveness of actions taken to assess risks and
opportunities
• 9.3.2 Management Review - the management review shall be
planned and carried out taking into consideration: e)
the effectiveness of actions taken to address risks and opportunities
• Clause 10.2.1e) update risks and opportunities determined during
planning, if necessary

17
Where is Risk referenced in ISO 14001:2015

• 6.1.1 Actions to Address Risks and Opportunities - Determine the

risks and opportunities related to its environmental aspects (6.1.2),
compliance obligations (6.1.3) and other issues, requirements,
identified in 4.1 and 4.2 that need to be addressed …EMS can achieve
intended outcomes; prevent or reduce undesired effects including the
potential for external environmental conditions to affect the
organization.
…maintain documented information of its risks and opportunities that
need to be addressed; processes needed to have confidence they are
carried out as planned.
• Clause 6.1.2 – Planning Action – The organization shall plan: to take
actions to address its …risks and opportunities. Integrate into the EMS
(6.2; 7; 8; 9.1). and evaluate the effectiveness of these actions. (9.1)

18
Where is Risk referenced in ISO 14001:2015

• 8.1 Operational Planning and Control - The organization shall

control planned changes and review the consequences of unintended
changes Isn’t this risk?
• 8.2 Emergency Preparedness and Response - establish implement
and maintain processes needed to prepare for and respond to potential
emergency situations identified in 6.1.1 Isn’t this risk?
• Take action to prevent or mitigate the consequences of emergency
situations. Isn’t this risk?
• 9.3 Management Review - the management review shall include
consideration of b) changes in: risks and opportunities
• Clause 10.2. react to the nonconformity and as applicable - deal with
the consequences, including mitigating adverse environmental impacts
– Isn’t this risk?
19
Risk-based Thinking

• There is no separate clause or sub-clause titled “Preventive action”

• The concept of preventive action is expressed through a risk-
based approach to formulating QMS / EMS requirements
• The organization is responsible for the application of risk-based
thinking and the actions required to address the identified risks
• Determine level of risk for QMS / EMS processes to meet intended
outputs, objectives, etc.

20
Plan-Do-Check-Act Cycle

• The methodology known as “Plan-Do-Check-Act cycle can be

applied to all business processes and to both quality /
environmental management systems as whole entities
• PDCA cycle which can be briefly described as follows:
• Plan: establish the objectives of the systems and its component
processes and resources
• Do: implement what was planned
• Check: monitor and where applicable measure processes, product
and services against policies, objectives and requirements, and
report the results
• Act: take actions to improve process performance, as necessary

21
0.3 Process Approach (ISO 9001:2015)

22
 Process Approach
Process
CONTROLS effectiveness
Extent to which planned
activities are realized and
planned results achieved
PROCESS
“set of interrelated or
Input interacting activities Output
which transforms Product
inputs into outputs

Process efficiency
People/Equipment Relationship between the
RESOURCES result achieved and the
/Material resources used

A desired result is achieved more efficiently when activities

and related resources are managed as a process
23
Fig 2- Representation of a Process based (PDCA)

24
Why use risk-based thinking?

Successful organizations intuitively apply risk-based thinking because it

brings benefits that:

• Improve corporate governance

• Establish a proactive culture of improvement

• Enable compliance activities

• Assure consistency of processes, products and services

• Improve customer confidence and satisfaction

25

25
What is Required?

• Identify the risks to your organizations success both internal and

external to the organization

• Use risk-based thinking to prioritize the way you manage your

processes

• ISO 9001:2015 and ISO 14001:2015 do not require formal risk

management process

26

26
Basic Steps of Risk Assessment

• Balance risks and opportunities

• Analyse and prioritize your risks

- What is an acceptable / unacceptable risk?

• Plan Actions to address the risk

- How can the organization eliminate / mitigate the risks?

• Implement the determined controls

• Check for the effectiveness of the controls

• Look for continual improvement opportunities

27

27
Creating a “Risk Register”

• The Risk Register is a useful tool to record, evaluate and monitor

the organization’s risks
• Format is your choice - a simple spreadsheet or database are the
most common
• All identified risks and actions taken complied into one document

• Spreadsheet Example

28

28
Risk Register - Example

29
Risk Register - Example

30
Conclusions

Risk-based thinking:

• Is not a new concept

• Is iterative

• Provides increased knowledge of risks throughout the organization

and improves preparedness

• Enhances the likelihood of achieving objectives

• Reduces the probability of undesired results or surprises

31

31
Balance risk and
encourage innovation.

With confidence

MANAGE COMPLEXITY WITH

TRUSTED SOLUTIONS

The business world is experiencing unprecedented

change. Global expansion. Emerging markets. Nimble
competitors. Digital disruption. Mobile staff. Empowered
customers. Every business in every country is facing
increased complexity in every operation. Those who are
succeeding are using a new approach to risk
management.
32 32
INTEGRATED RISK
MANAGEMENT SOLUTIONS

By partnering with SAI Global you’ll

have peace of mind knowing your
risk management activities are
controlled. By using solutions that
monitor, measure and inform, we can
help you build trust throughout your
organisation and with stakeholders.

33
33
GLOBAL EXPERIENCE,
LOCAL SOLUTIONS

Our experience stretches across 29

countries in Europe, North America, Asia
and Australasia. Our expertise extends
across many industries from resources,
automotive to healthcare and property.
You can draw on our global strength – no
matter where you are located, your
industry challenges, or the size of your
business.
34
 DISCOVER AND ASSESS
 Identify legal, regulatory
and compliance obligations
 Map obligations to business
processes
 Align business values and
objectives to risk
DEVELOP POLICIES,
EVALUATE AND management strategy
PROCEDURES AND
IMPROVE
CONTROLS
 Review program  Design and document end-
performance to-end processes
 Realign processes, people
and objectives
SAI Global  Map and assign
accountability
 Drive continuous Risk Management  Develop tools to monitor
improvement and growth
Solutions program effectiveness

TRAIN AND
MONITOR AND ACT
COMMUNICATE
 Monitor and report
 Engage and train employees to
key risk indicators and
drive behavioural change
trends
 Develop methods to monitor
 Real time visibility of
employees engagement
compliance status and
 Capture and assess training
issues
effectiveness
 Validate program
35 effectiveness
35
Learning & Improvement Solutions

• Public training (classroom)

• On-site training / In-house training*
• Free Webinars
• Interactive Webinars
• eLearning courses
• On-site consulting, including*:
– On-site Gap analysis
– Management system implementation
– Kaizen Event
– Program review & development
– Product specification building

*SAI Global’s Improvement Solutions Business and Certification Services Business operate independently. Any audit provided by our
Certification Services Business is totally independent of any work we may have done through our Improvement Solutions Business and will not
provide our clients with any special treatment.
36
Questions and Answers

37
 Carmine Liuzzi
Industry Leader
SAI Global Assurance Services, Learning &
Improvement Solutions
Phone: 203-300-3776
carmine.liuzzi@saiglobal.com

www.saiglobal.com/assurance