Risk-oriented thinking has received the greatest development abroad. This concept has received further development with the release of the international standard ISO 9001:2015.

Risk management concept

This direction is a fairly new trend in the development of an economic entity.

It was first mentioned in an American article back in 1956. Its meaning boiled down to the fact that legal entities should hire risk management specialists to reduce economic losses.

Since the second half of the last century, these publications have become regular. In the 1970s, risk assessment consulting services began to emerge.

The concept of risk and its management

Risk is the influence of uncertainty. This definition given in GOST R ISO 9001-2015. This indicates that risk-based thinking is being built into the quality management system.

Uncertainty can be understood as inaccurate or incomplete information provided under the terms of the project. Any entrepreneurial activity associated with this concept.

In order to manage risks, they must be identified, analyzed and resolved. This management process should be carried out in consultation with interested parties in order to modify it so that subsequent processing is not required.

Risk Based Thinking in the 2015 ISO 9000 series

To implement it, an economic entity must create a set of agreed methods and activities to manage and control risks that can hinder the organization's activities in achieving its goal.

This requirement, which appeared in the 2015 version of the standards, essentially replaces the requirement to take preventive actions from the 2011 version.

Opportunities need to be implemented along with risks. The latter is understood as the ability of an object to produce a product that meets the requirements at the output.

The reason for this replacement of preventive actions with risk-based thinking is that the former were not perceived as a means of continuous improvement, as a result of which the latter were carried out at a rather low level and haphazardly.

According to new version standard, business entities wishing to be certified for compliance with this QMS must identify risks, as well as opportunities, and determine actions to address them. Legal entities must decide how to make these actions part of their quality management system, how they will monitor, analyze and evaluate the effectiveness of these processes and actions.

In the process of identifying, registering, reducing and eliminating risks, in accordance with the requirements this standard top management will be involved.

The new version of ISO 9001 does not require any special document to describe the risk-based approach of a legal entity. But to ensure uniformity, it is better to create instructions for identifying and assessing risks.

Connection of the phenomenon under consideration with the process approach

The current version of the above standard requires the mandatory application of this approach.

It includes implementation During the planning (P) stage, an analysis of both internal and external environment business entity using various quality management methods: data stratification using checklists, brain attack, control charts Shewhart, and Ishikawa, scatter, the use of SWOT- and PEST-analysis, benchmarking, the Delphi method.

At the do (D) stage, the risk is assessed and acted upon using the above methods, as well as FMEA analysis, expert method, HACCP and some others.

Stage "Control" (C) involves monitoring and measuring the implemented strategy for identifying and assessing risks.

The “Act” (A) stage involves reviewing the organization's risk policy, designing and implementing various measures to improve the functioning of the risk management process.

Thus, the process approach and risk-based thinking are interrelated. This is confirmed by the fact that the phenomenon under consideration is given in the ISO 9001:2015 standard in the section "Process approach".

Risk assessment and identification

The ideology of risk-based thinking implies the mandatory implementation of these stages.

Risk assessment includes its identification, as well as analysis and calculation. It can be carried out various methods and ways. With this estimate comes better understanding risks, allowing you to make the right decisions on the best approach to handle the latter. results this stage serve as input to decision-making processes.

It is a process for identifying, recognizing and registering risks. It is carried out in order to evaluate what could potentially happen that will affect the achievement of the goals that the organization has set for itself.

Risk identification methods include those based on evidence, a systematic team approach, and inductive reasoning. To carry out this operation, it is necessary to determine the factors influencing the stable activity of an economic entity.

Examples

Consider the application of risk-based thinking in the enterprise.

Let's assume that the plumbing, which has a significant length, has passed into the scope of responsibility of the plumber. During his vacation, an accident occurs at one of the sections of the water supply, and the features of the infrastructure and structure of the latter are known only to this plumber. It takes time to study them, consumers want to transfer the pipe system through which water is supplied to other competitors.

Applying in this example risk-based thinking, entity should determine the competence of the persons who work for him, which affect the effectiveness of the QMS, provide training for these persons, carry out other actions aimed at acquiring the required competence, and evaluate their effectiveness, register and store information indicating competence.

Finally

Risk-based thinking is one of the requirements of the international standard in the field of quality management systems. It is associated with a process approach and should be carried out systematically. Responsibility for making such decisions in the field of QMS lies with the top management of the company. Wrong actions in the risk-based approach can lead to losses for the economic entity.

A.2 Products and services

ISO 9001:2008 used the term "product" to cover all categories of "outputs". In this edition of this International Standard, the term “products and services” is used. It also includes all categories of "outputs" (hardware, services, software and processed materials). The introduction of the term “services” into circulation is caused by the need to emphasize the difference between products and services in the context of applying certain requirements to them. A feature of services is that at least part of the results obtained is achieved through direct interaction with the consumer. This means, for example, that compliance with the requirements cannot always be confirmed before the service is fully provided.

In most cases, "products" and "services" are used together. Most of the outputs that an organization or external providers provide to customers include both products and services. For example, a tangible or intangible product may be accompanied by some related service, or a service may be accompanied by some tangible or intangible product.

A.3 Understanding the needs and expectations of interested parties

Clause 4.2 contains requirements for the organization to establish (identify) the interested parties relevant to the quality management system and the requirements of these interested parties. However, Clause 4.2 is not intended to extend the requirements for a quality management system beyond the scope of this International Standard. As stated in the scope of this International Standard, it is applied when an organization needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and to improve customer satisfaction.

There is no requirement in this International Standard that an organization consider the interests of any parties if it decides that those parties are not relevant to its quality management system. It is up to the organization to decide whether any specific requirement of the relevant interested party is relevant to its quality management system.

A.4 Risk-based thinking

The concept of risk-based thinking was implicit in the previous edition of this International Standard, for example in the requirements for planning, review and improvement. This International Standard specifies the requirements for an organization to understand its context (the context in which it operates, see 4.1) and to establish (identify) risks as the basis for planning (see 6.1). This reflects the application of risk-based thinking to the planning and implementation of quality management system processes (see 4.4) and will assist in determining the scope of documented information.

One of the key purposes of a quality management system is to function as a prevention tool. For this reason, this International Standard does not have a separate section or subsection on the subject of preventive action. The concept of preventive actions is expressed through the use of risk-based thinking when formulating requirements for a quality management system.

The risk-based thinking applied in this International Standard has created opportunities to reduce peremptory requirements and replace them with requirements based on real business practice. There is now more flexibility in the requirements for processes, documented information and allocation of responsibilities in an organization than in ISO 9001:2008,

Although Clause 6.1 states that an organization should plan to respond to risks, there is no requirement for a formal risk management method or documented risk management process. It is up to an organization to decide whether to develop a more comprehensive approach to risk management than required by this International Standard, for example through the application of other guidance or standards.

Not all quality management system processes carry the same level of risk in terms of an organization's ability to achieve its objectives, and the impact of uncertainty is also not the same for all organizations. For the purposes of Clause 6.1, an organization is responsible for its application of risk-based thinking and for the actions it takes in response to risk, including deciding whether or not to record and retain documented information as evidence of its risk determination.

A.5 Applicability

This International Standard makes no reference to "exceptions" to the applicability of its requirements to an organization's quality management system. However, the organization may consider the applicability of the requirements, taking into account the size or complexity of the organization, the management model adopted, the areas of operation, and the nature of the risks and opportunities it addresses.

The applicability requirement is contained in clause 4.3, which specifies the conditions under which an organization may decide that a requirement cannot be applied to any of the processes within the scope of its quality management system. An organization can only decide that a requirement is not applicable when its decision does not result in the failure to ensure conformity of products and services.

Hello colleagues. Let's continue talking about risks, or rather, not about the risks themselves, but about risk-based thinking.

Let me tell you straight away that there is official document(clarification) ISO/TC 176/SC2/N1284, it is good to read it in order to understand the logic of the developers of ISO9001:2015, since this document was written by the developers of the standard themselves. But it is in English, so I will try to explain the essence of risk-based thinking on the fingers, based on the provisions this document.

In fact, risk-based thinking is very simple. And each of us (if he is not a client of a psychiatrist) uses it constantly, but does not think about it.

Every time you take conscious decision (and ISO standards require decision-making based on facts, that is, just conscious decisions), we always ask ourselves at least two of the following 4 questions:

Why did I say that risk-based thinking is used by any person when making a decision? Let's try to apply this matrix of questions, for example, when choosing a transition point highway) Do we cross the road every day?

Situation: We have an important meeting in 30 minutes at a place to which we have to go in a straight line across the road for just that much time. There is an underground passage 500 meters from our location. There are no ground crossings and traffic lights near us. We need to make a decision whether to cross the road in the place where we are, or go to the underpass, then on the other side the same amount back and further along the route.

ATTENTION. This is just a real life example. All your decisions must be within the existing rules and laws!

So let's use a matrix. Task: cross the street safely, and not be late for a meeting. The safest option is to use the underpass.

1. What will I get if I don't? I will be able to get to the meeting on time, but I risk being hit by a car.
2. What will I get if I do this? I run the risk of being 10-15 minutes late for a meeting, but I will cross the road safely and without the risk of life from the traffic on the road.
3. What will I lose if I do this? I will probably lose clients if those who are waiting for me at the meeting are too impatient.
4. What will I lose if I don't? I risk losing my health or life by being hit by a car.

And then comes the risk assessment. If the road is not very wide, and there are no cars on the left and right, then it would be possible to cross it from a place. If this is a highway with 6 lanes in each direction, then the risk of being hit increases, and it is better to lose a client than life - we use an underpass.

Agree, such thoughts fly through my head in a split second and most often a person takes correct solution)) This is the unconscious risk-oriented thinking inherent in each of us. Sometimes it is also called the instinct of self-preservation.

In QMS language, simply replace the word "(won't) do" with "it's (not) done" and the word "I" with the word "we".

In principle, it is not necessary for everyone in production to have such thinking. One persistent person is enough, who will be able to formulate the right questions for each problem and ask them to the right specialists, and then put everything together, make an analysis, formulate a report and submit it to top management for adoption. final decision, fact-based.

For example: statistics for the year came to the technical control department - a batch of bolts manufactured and sold throughout the country has a discrepancy in thread diameter. Correction is indispensable here, the bolts are already made, they cannot be redone. Corrective actions are needed.

QCD, in cooperation with the quality management service, should conduct a study of the causes of the nonconformity, identify corrective actions (CA), and for each of them conduct a risk analysis.

For starters, you can use the above matrix, then it will all become a habit. The main thing is not to rush, unless, of course, the risk of releasing nonconforming products during the period of elaboration of corrective actions is not high.

The main thing is to work out for each item of the design documentation maximum amount questions in accordance with the matrix, your intuition, your experience and get the most unambiguous and specific answers from those who are responsible for these questions.

Risk-based thinking has a special role when introducing something new in production. new technological process, equipment, etc. At the same time, at the stage of preliminary (conceptual) study of the implementation project technical services plant, it is imperative to involve employees of the quality management service. And the best thing is to create a technical council at the enterprise, which must necessarily include representatives of the quality service. In my article "" I showed in detail by example how expensive errors are at various levels of problem solving.

If you are going to buy a new machine, then risk-based thinking should tell you that at the stage of agreeing on the parameters of the machine, the conditions for its purchase, installation, operation and maintenance, the distribution of personnel responsibilities for these works, etc., catch the error and eliminate it easier than when the machine was bought for 2.5 million, and then it became unclear how and where to put it, where to get spare parts, and who will be responsible for this machine.

It's very natural! No more difficult than deciding where to cross the road. This is fine.

Yes, it's all difficult to implement in reality, but you need to do it! And first of all, this should be understood by the leadership. The will of the leadership is 50% of success. The rest is our work.

Risk-based thinking has become a necessity

in one language

Svetlana Mochalina, Director of the Legal Department and Risk Management Department of L’Occitane Rus, spoke about how the risk-based approach in the work of supervisory authorities affects the work of a business.

AT last years the approach of state bodies to such inspections has changed. Now they evaluate violations by looking at criteria such as the degree of risk to the business; implementation of preventive measures; the procedure for conducting a risk assessment; measures aimed at reducing risks by an economic entity and exercising control.

– Because we also operate in the retail market, and in addition to the wholesale segment, franchising, licensed SPA business and online stores, we have more than a hundred of our own retail stores, the so-called "open" points of direct sales, we must be prepared that at any point without prior notice (and with it) different government bodies and their territorial subdivisions throughout the country: the Federal Antimonopoly Service of the Russian Federation, the Federal Tax Service of the Russian Federation, the Ministry of Emergency Situations of the Russian Federation, Rospotrebnadzor of the Russian Federation, Roszdravnadzor, OATI, the Department of Economics and Politics of the City of Moscow. In this regard, we thought about how to ensure effective business protection and sustainable communication with government agencies,” comments Svetlana Mochalina. – One of the tools for preventing and reducing risks in general is the introduction of a preventive compliance system in the broad sense this word. Here it is important, on the one hand, to hear the legislator, to realize and fulfill his will; on the other hand, by introducing legislative requirements, rely on the specific tasks of the business, insuring it at every step towards achieving the goal; build a flexible but resilient bridge between the rigid footholds of the law and the fragile realities of the opportunistic nature of Russian business in a rapidly changing environment.

The goal of introducing any compliance, including antitrust compliance, is to reduce the likelihood of the risk of violation and, as a result, the risk of sanctions. However, the main objectives of implementing an effective compliance system are not only minimizing business risks and increasing its role in the work of government agencies, but also managing business processes in general, as well as increasing the level of staff efficiency.

– The most important and difficult to achieve, and most importantly, the most successful tool future and present is the impeccable reputation of the business / company, its formation, work on it every day. If a company implements preventive compliance measures, values ​​its reputation, even in the presence of a possible offense, it can count on mitigation of liability, and sometimes even avoid it altogether. This axiom is actively supported by the numerous government agencies mentioned above, which means that we speak the same language,” summed up Svetlana Mochalina.

Focus on Opportunity

Irina Walter, Head of Supply Chain Quality at FM Logistic, shared her experience of integrating risk management into key decision-making processes.

“Because we are a multi-customer company, we must not only assess and manage risks from an internal compliance perspective, but we also need to target multiple clients whose storage and transportation requirements can be very different. Thus, we are constantly interacting with clients, bringing the information received from them into our risk management approach,” the speaker clarifies.

FM Logistic considers one of the main priorities in the development of a fair and profitable business compliance with laws and fair competition in the quality of services provided. At the same time, the risk of bribery and corruption at the level of suppliers is eliminated through internal and external audits, inspections are carried out on a scheduled and unscheduled basis. In addition, the parent company constantly conducts compliance audits in all countries where FM Logistic operates. The role of the security service is also great, which checks each counterparty before starting work with him in order to fully comply with the legislation of the Russian Federation.

Irina focused on risk response strategies. In particular, instead of avoiding risks, she advised using them to the benefit of the company. For example, the project plan can be modified to eliminate a threat or insulate project objectives from the consequences of risk by attracting more qualified personnel and providing more High Quality compared to the plan. This approach is more effective than a categorical rejection of risky projects and unreliable partners.

– We apply a risk-based approach to business, focusing not only on risks as threats to business, but also on opportunities that contribute to its development. Our company uses risk-based strategic planning, which is the basis for the gradual implementation of the change management process. There are various tools for minimizing existing risks: internal analytics, internal process audits, a focus on the development of a continuous improvement process, as well as audits of contractors - transport companies with which we work. Minimizing the risk for us means bringing it to a manageable level, finding the optimal control measure. A risk-based approach is implemented in FM Logistic at the corporate level and is built into global process“Compliance”, which makes it possible to systematically assess risks from the point of view of the risk appetite of risk owners, monitor them, evaluate the effectiveness of the fulfilled risks and see the effect on the business from the implemented efforts of our team,” explained Irina Walter.

Mayak for project management

One of the key points of the program was the speech of Sergey Salamatov, Head of Staff of NLMK Vice President for Risk Management, who spoke about the features of integrating risk management into the project management system.

The speaker cited data from the PMI's Capturing the Value of Project Management study, conducted in 2015, which analyzed the activities of three thousand companies. The study shows that, on average, only 64% of projects achieve their goals. Representatives of the Project Management Institute tried to figure out why leading companies achieve their goals better. As a result, key success factors are formulated, the presence of each of which increases the level of achievement of goals.

The greatest effect on the success in project implementation, according to the PMI study, is exerted by the simplest factors: the responsibility of top management for the project; a clear understanding of the scope and likelihood of achieving project benefits over the course of the project life cycle; understanding that the result of the project is in line with the company's strategy; organization of knowledge exchange between project managers.

Successful implementation of these factors is achieved through the integration of risk management with the project management system. The role of risk management in investment activities cannot be overestimated, and the PMI study illustrates that the complex and systematic application of quantitative investment risk assessment will increase the likelihood of achieving project goals by 15-20% and not only bring financial benefits, but also increase efficiency.

– Risk assessment, one way or another, is applied by everyone, but too big difference between implementation options. AT individual cases it can be a typical risk map with a qualitative assessment of a number of risks according to the “traffic light system” – red/yellow/green. But what should project managers do based on this assessment? What information does it give them? - explains Sergey Salamatov. – A completely different situation is when the impact of risks on project targets is quantified using tools such as scoring models or simulations. This approach allows you to analyze the sensitivity of project targets to various risk factors, assess the likelihood of achieving results, take into account mutual influence factors and the combined effect of risk realization. Based on such data, it becomes possible to make risk-based decisions on the implementation of projects. Thus, the assessment of target indicators of a project at risk (IRR, NPV) will help to prioritize projects taking into account risk and optimize the cumulative effect of the implementation of the strategy.

Speaking about the project management system, the speaker emphasized that when implementing investment projects, three groups of target indicators can be distinguished: project budget, implementation period and efficiency. Accordingly, there is a risk of rising costs, delays and reduced profitability. It is important to understand that project management implies constant change management: it is clear that it will not be possible to protect the project from all adverse events, but it is possible to make decisions based on their potential impact on the project. The quality of decisions made will depend on the accuracy of this assessment.

– Some of the risks are typical, they are inherent in the business processes included in the project implementation perimeter. They can and should be assessed by integrating risk management with the company's internal control system. The management of these risks is associated with an increase in the quality of risk coverage by internal controls. In investment activity, in this way, it is possible to assess the increase in project implementation costs due to inefficient implementation of design processes, supplier selection, construction and installation works, and others, -
expert comments. – In addition, in each project there are specific risks caused by the uniqueness subject area project. They are accompanied by high uncertainty - it is impossible to unambiguously estimate the expected losses. This uncertainty should not be overlooked: it can lead the project to diametrically opposite results, and this cannot be done without simulation modeling. Timing offset risks can also be assessed using Monte Carlo simulation tools. Such an assessment allows the project manager to establish increased control over the implementation of critical work and most effectively allocate resources for project risk management within the framework of deadlines and budget.

Title="(!LANG:Galina
Shakleina (EuroChem)">Количественная оценка рисков инвестиционных проектов с использованием инструментов имитационного моделирования признана востребованной среди мировых лидеров и применяется в разных отраслях экономики. Допустим, Лондонский метрополитен использует этот метод для оценки рисков инвестиционных проектов и безопасности пассажиров, а мировые лидеры в сфере поставки потребительских товаров – компании Unilever и Procter&Gamble – для оценки рисков в отношении разработки и применения !} the latest technologies, implementation innovative projects. In Russia, significantly fewer non-financial companies use quantitative assessment of investment risks on a regular basis. Tellingly, the PMI survey also included only European and American respondents.

– It should be assumed that the effective integration of risk management with the project management system is the “beacon” towards which project management in Russia will move in the coming years, repeating global trends. Because this “beacon” provides the information necessary for management to make risk-based decisions that help improve the efficiency of implementing strategic initiatives and achieve the required financial result,” the speaker concluded.

Don't Compete, Complement

Pros and cons of integrating the functions of risk management and risk-based internal audit Igor Vinnikov, the risk manager of the NefteTransService Group, designated.

He drew the attention of his colleagues to the differences between risk management and internal audit, noting that the former is associated with the analysis and evaluation of external alternatives, threats and opportunities for strategic and tactical business development, and the latter is mainly aimed at assessing the effectiveness of the company's business processes, in including risk management. Often in practice, the functions of risk management and internal audit overlap within the same unit, which does not allow obtaining a synergistic effect and independent information on how effectively risk management actually works.

In addition, given that risk-based audit often uses the same mechanisms and tools as risk management (for example, maps and risk registers), the company's management may experience confusion and misunderstanding of the purpose of these two functions, and the question justifiably arises - how are these services different?

– Risk management and internal audit can effectively complement each other: the exchange of information between these departments will make it possible to identify a particular risk in early stage, - Igor Vinnikov comments. – At the risk assessment stage, risk management calculates what the overall result for the company could be if it is implemented; risk-based audit focuses on an independent, usually retrospective assessment of the audited business process. To influence the risk, risk management develops appropriate measures, and if it is necessary to adjust the business process, it is responsible for its timely change. The function of a risk-based audit at these stages is to develop recommendations and monitor their implementation.

To improve such interaction, it is necessary to unify the terminology and approaches used; plan audits taking into account signals from the external environment; inform and involve the risk manager in the development and implementation of a corrective action plan in the presence of external factors; strengthen the role of internal audit as a factor in the development of risk management, and vice versa.

It is better to prevent than to eliminate the consequences

Head of Ecology and Protection Department environment Ruspetro JSC Nadezhda Sheveleva spoke about the importance of environmental risk management in the activities industrial enterprises. In particular, Nadezhda spoke in detail about the components of environmental risk and the features of its identification in the oil and gas industry. She also mentioned a strategy for managing environmental risks in the development of oil and gas fields and gave examples of identifying the causes of environmental risks.

Currently, work with environmental risks is carried out in the context of ambiguous interpretations of regulations, rapid changes legislative framework, which complicates the conduct of production activities.

According to the speaker, the management of environmental risks within the production activities of an enterprise is a complex and multi-stage process. Thus, it is necessary to analyze the requirements of the legislation in terms of environmental protection obligations; assess the likelihood of environmental risks under the current management system; define possible consequences the occurrence of these risks, including environmental damage; determine the methodology for assessing possible consequences in monetary terms (compensation for environmental damage, fines for violating the requirements of environmental legislation). In addition, it will be necessary to assess the possible consequences in terms of value and rank them; determine measures to reduce and prevent damages from identified risks; evaluate the effectiveness of the necessary investments to reduce and prevent risks; decide on the implementation of specific risk management measures. Only after that, the environmental risk management system is updated and responsible persons are appointed to manage them.

As follows from practice, the total costs of measures to prevent risk and implement environmental measures will be significantly lower than the elimination of the consequences of their implementation, taking into account the obligation to timely comply with the requirements of legislation in the field of environmental protection. Nadezhda Sheveleva recommended taking given fact into account when planning management activities in terms of environmental management.

Nobody is immune from fraud

In any company, the risks associated with unethical behavior and fraud on the part of personnel are periodically realized. As a result, the company may not only suffer financial losses, but also face reputational risks. This important topic was raised by the managing director for financial audits of AFK Sistema Marina Bugorskaya.

According to official statistics, companies suffer the most significant damage as a result of fraudulent actions with financial statements. This refers to the artificial overestimation of assets, underestimation of liabilities, underestimation of costs. It is believed that deliberate misrepresentation of reporting or creative accounting is less common than other types of fraudulent schemes. In practice, the most frequent are fraudulent activities aimed at the theft of assets, corruption and withdrawal of funds from the company.

After the publication of a new version of the standardISO 9001 :2015, perhaps, the most questions and discussions arise regarding one of the new requirements - the application of risk-based thinking(in English "risk-based thinking"). I recommend watching the video "Main differences between ISO 9001:2015 and ISO 9001:2008".

On my blog, I have written several articles on the topic of risk management (see articles: “Risk management instead of preventive actions”; “Risk management - basic steps”; “Risk management in business”, etc.). In continuation of the topic, I decided to write about what is "risk-based thinking" in terms of ISO 9001:2015 and how to apply it.

risk oriented thinking, first of all, it meansimplementation by the organization of a set of agreed activities and methods to manage and control the multiple risks (positive and negative) that affect its ability to achieve planned goals. Risk-based thinking, in fact, replaces the requirement to take preventive action from the previous version of the standard.

It cannot be said that risk oriented thinking is a completely new requirement. In an implicit form, it was always present in ISO 9001. In previous versions of the standard, includingISO 9001 :2008, there was a requirement to predict and prevent errors, inconsistencies (implementation of preventive actions), which also applies to risk-based thinking. Organizations trained people, planned work, allocated responsibilities and authorities, verified results, conducted audits and reviews, monitored and measured processes.All these actions were aimed at avoiding mistakes and achieving success.

In this way, organizations tried to manage their risks and opportunities. Therefore, it can be said that it has always been a part of ISO 9001 and Organizational Quality Management Systems. It was just implicit before, but now it is explicit.So why do developers ISO 9001:2015 decided to make the application of risk based thinking more explicit and actually replaced it with preventive actions? What new things should organizations do that they haven't done before?

The fact is that preventive actions in most organizations were often carried out "for show", from the need to fulfill the requirementISO 9001 , not as a real tool for moving forward, continuous improvement. Often, preventive actions were performed at an inadequate level and haphazardly . In addition, in many organizations the responsibility for assigning and implementing preventive actions has been left to some member of the quality team who has not been able to capture all the issues that really affect the organization at the top level and contribute to continuous improvement.

To meet the requirements of the new version of the standard, organizations need to plan and act in response to risks and opportunities.

The new standard expects organizations to systematically identify and effectively address risks that could affect their ability to deliver conforming products and services and meet customer needs. He also expects organizations to identify their capabilities, which can enhance their ability to deliver conforming products and services to satisfy their customers.

The new standard also expects organizations to identify risks and opportunities that could affect the performance of their Quality management systems or disrupt operations, and then determine actions to address those risks and opportunities. Organizations should also determine how they intend to make these activities part of their Quality Management System processes and how they will monitor, evaluate and review the effectiveness of these activities and processes.

According to the requirements of the new version of the standard, top-level managers should be involved in the process of identifying, registering, eliminating and reducing risks. With this in mind, from the very beginning of the application of risk-based thinking in an organization, it will be possible to see that it is more effective than previously applied preventive actions.

It is very important that the identification of risks and the selection of appropriate risk management measures are placed on the agenda of regular management meetings. Equally important is ensuring that the organization has established channels through which all employees at a lower level can convey their opinion upstairs - for the consideration of the management team.

Then the organizations will have risk oriented thinking, led by a top management team with key strategic knowledge of business threats and opportunities, and simultaneously supported by information from all levels of the organization (some of which was previously unknown to them and, accordingly, was not considered).

Thus, instead of preventive action, which was previously mainly carried out at a lower level, organizations are now offered risk-based thinking, led by a top management team that owns complete and comprehensive information. Naturally, the management decisions resulting from this approach and the subsequent actions will be more effective on the basis of the participation of the entire company than the pre-existing process of preventive actions.

While risk oriented thinkingis now part of the new standard, however, the standard does not require a specific document describing the organization's risk-based approach. However, based on my experience, it is better if it is described in a document in order to ensure consistency and uniformity of application throughout the organization.

I also recommend my article on another new requirement in ISO 9001:2015 - understanding the context of the organization. Here you can download for free e-book " ".