6 Basic Questions to Create Your

Risk Based Thinking Model for ISO

9001:2015
 Published on August 13, 2016
 Like 6 Basic Que stions to Create Your Risk Ba sed T hinking Model for IS O 9001: 2015

171
 Comment

32
 ShareS ha re 6 Ba sic Questions to Create Your Risk Ba se d Think ing Model for ISO 9001: 2015

112

Mohammad Elshahat, ASQ CSSGB

FollowMohammad Elshahat, ASQ CSSGB
Lean Management | Six Sigma | QMS ISO 9001

So far, I don't know what was wrong with the typical risk management process, that
motivated the ISO folks to come up with this brand new term (Risk Based
Thinking).

However, in this article, I'm going to show you a proven and easy way to create a
Risk Based Thinking Model based on ISO 9001:2015 clauses.

But before delving into the details, I'd like to share a quick story with you ...

Do this and you will get lousy results. The last time my friend held a meeting to
identify risks with his coworkers; he got unexpected and unpleasant results. The
meeting ended up with more confusion and he couldn't achieve the meeting’s
outcomes.

It was the first meeting with the head departments in his organization after the
transition training to QMS ISO 9001:2015. He asked everyone to brainstorm the
risks that they might encounter in their work.
Tens of negative responses, consequences and bad events started to flow while no
one mentioned any upside risks or opportunities! He tried to show them that the term
risk includes both upside risks (opportunities) and downside risks (threats).
Some are convinced, others refused the idea, and the rest were confused.

Can you figure out Why did this happen?!

He didn't prepare them for the easiest but the most important stage in the risk
management process: “The Definition Stage or Establishing the Context”

Despite the training your people attended about the new QMS ISO 9001:2015, but
their mind still wired with the layman's definition of risk. Ask anyone if he would
like to have a risk happen for him/her and you will get “No” responses all the time.

It's important to be clear about the definition of risk to avoid confusion among teams
trying to manage their risks.

I can’t emphasize this more, one of your challenges as a quality professional is

to install and instill the technical definition in your people’s mind before moving
on, to not confront the same results of my friend.

In this article I’m going to show you how to create a Risk Based Thinking Model
for your ISO 9001:2015 implementation. In addition to, I’m going to provide you
with 25 techniques and tools to properly identify and analyze upside and
downside risks. To do so, four things I’m going to share with you, Today:

 How Risk Based Thinking and Risk Based Auditing will go together?
 How to shift your people’s mind to adopt the technical definition of
risk?
 6 universal questions to formulate your Risk Based Thinking Model
 The Risk Based Thinker’s Toolkit.

Risk Based Thinking and Risk Based Auditing

One of the benefits of risk based audits that had been introduced since 2011 is to
unlock the hidden risks that couldn’t be identified by the organization itself and
monitoring of the current risk treatments.
But the auditor may fail to identify significant risk, or may identify a risk that is not
important, because the auditor’s evaluation mainly depends on samples, therefore
that would involve a sampling risk.

The new ISO 9001:2015 incorporated Risk Based Thinking to the quality
management system in the very beginning, during the planning stage, so all risks
and opportunities associated with the organization’s context and objectives are
identified, analyzed, treated and monitored a head of time.

The internal or external auditor is not solely responsible for this anymore, but the
organization leadership and every process owner too.

This is how Risk Based Auditing and Risk Based Thinking will go hand in
hand, and I’ve devoted the rest of the article to show how to do this without being
overwhelmed by the risk management jargon.

Rewire The New Paradigm

The story that I’ve introduced earlier can simply happen inside your halls, so you
have to prelude the risk term to your people in a manner that doesn’t confuse them.

But, how can you do that?

How to take your people from where they’re (the layman’s definition of risk) right
now to a new mental model, different paradigm, and different way
of thinking about risk?

You can do that by letting them recognize that

both threats and opportunities are equally important to their business success,
and to make that crystal clear in their mind, you have to introduce to them the two
failings.

There’re two equal failings should be avoided:

1. Threat occurred and could have been mitigated or avoided.

2. Opportunity missed and could have been seized or exploited.
“Fear of harm ought to be proportional not merely to the gravity
of harm, but also to the probability of the event.”Antoine Arnauld
(1612-1694)
“The excitement that a gambler feels when making a bet is equal
to the amount he might win times the probability of winning it.”
Blaise Pascal (1623-1662)

Read the two quotes again with pondering, I intentionally brought them
here …. What are their implications?

The theologian and philosopher Arnauld and his friend Pascal, the developer of the
theory of probability, they had framed the downside risk and upside risk in these two
quotes many years ago. These quotes reveal that the idea of treating threats and
opportunities the same is not new, since it was being addressed by two of the earliest
thinkers in the field of risk management.

If you still have doubts, or not convinced, I have explained this in my previous
article with a conducted survey. You can pause, and go read it from here.

Now you’re ready to approach the risk definition, so let’s dive into the details …

The Socratic Method and The Six Universal Questions

A quality leader should realize the incredible power of questions and how it could
shape people’s thoughts and let them learn virtually anything. In fact the entire
Socratic Method is based on the teacher is doing nothing but asking questions,
directing the student’s focus and getting them to come up with their own answers.

“He who asks questions cannot avoid the answers” Cameron

Proverb

If you’re a business owner or a senior executive and can’t afford the huge budget of
the risk management process, taken time for risk workshops, creating risk registers
and reports, then update all of that consistently.

And you’d like to be leaner than that, especially there’s no formal framework or
even documents required by ISO 9001:2015! which sounds so dumb!
Then, you can use the questioning approach to manage risks smoothly and
effectively.

There’re six universal questions, any risk based thinker (e.g., risk manager, quality
specialist, or an executive) could ask himself/herself or among teams These
questions are universal because they follow the typical risk management process
(see Table 1)

Table 1: The six questions and its reference in ISO 9001:2015

Using these simple questions as a framework for managing risks in SME’s will
make you avoid using Risk Management Jargon. So, your people can easily
understand what are you asking them, and they’re not going to feel overwhelmed.
However, these questions could be used at any size of business regardless its
industry.

Here’s an important practical tip I’d like to share with you. Don’t treat all
your processes as the same. Of course, there’re some processes are more critical than
others, some activities have greater impact than others, and some tasks have more
probable consequences than others.

So, you can go deeper with more investigation in every stage of risk management
and ask questions like: How? When? Where? and Why?

You’re the one who will decide whether to dive or just swim! But to help you in this
decision, consider the following three elements….

Three main elements you have to consider if you want to go beyond these questions
(such as adopting ISO 31000 as a guidance), unless this framework satisfies your
needs. The three elements are:

 The size of your organization and its context,

 The complexity of your processes,
 The competencies of the people who’re doing the job.

But large corporations will need to go into a detailed risk management process to
cover all their internal and external major risks. So, they might hire full time risk
managers, use specialized risk management software, and create detailed risk
reports.

On the other hand, SME’s can run a meeting to figure out the answers of these
questions, then doing this in specific intervals or so, to review taken actions, and
share the lessons learned.

These intervals could encompass but not limited to day to day routine checks, self
assessments (internal audits), management reviews, and vendor assessment. All of
these are also called performance audits or Risk Based Audits.

In the same time, You're not violating the typical risk management process, but
following it with less formality.

What's Next!
In this article and my previous one, I tried to make the term risk clear for you, then
I showed you how to develop a Risk Based Thinking Model so you can address risks
and opportunities in your organization.

I also didn’t forget to supply you with the techniques and tools to support your risk
management program. Here’s the Risk Based Thinker’s Toolkit, you can
FREE download it from here, and it provides you with:

 8 risk identification techniques,

 5 opportunity analysis techniques and methods,
 3 threat analysis techniques and methods,
 9 techniques for both threats and opportunities.

Now, I want you to do two things. First, let me know how did you find this article
helpful for you? Second, what is the ONE thing that you still struggling with in your
transition?

If you’re on a transition to the new QMS ISO 9001:2015, read this article
too:

 3 Things You Have to Know About ISO 9001:2015 Risk’s Definition Before
Moving On and don't leave before downloading your FREE Copy of the
required Documented Information by ISO 9001:2015

P.S. This article and the six questions are inspired by the work of Dr. David
Hillson, he's know as The Risk Doctor. He has valuable contributions to the
risk management field. He published a paper entitled "Managing risk at your
SME" (2015) which includes the six question, I just made a little tweaks and
cross referenced them to ISO 9001:2015 clauses. What interesting is that the
six questions follow the typical risk management process that is introduced by
ISO 31000.
ShareS ha re 6 Ba sic Questions to Create Your Risk Ba se d Thinking Model for ISO 9001: 2015