Official presentations on ISO 9001:2015’s development show that ISO Technical Committee 176, with significant influence by the US TAG to TC 176, had immediately begun crafting a set of talking points to convince the public that risk-based thinking was the product of user demand, despite official User Survey data showing otherwise. Oxebridge has reported that “RBT” was inserted to meet a crash of external pressures placed upon TC 176, including the imposition of “Annex SL” which demanded risk be addressed in some form, and a fast-approaching final publication deadline established by ISO. The ISO presentations appear to mask the influence of Annex SL on risk-based thinking.
“Risk-based thinking” first appeared in a version of the Committee Draft (CD) of ISO 9001:2015 dated June 2013, developed by TC 176 subcommittee 2 (SC2); it may have appeared in an earlier draft of the CD not available to the public. The first official ISO presentation discussing RBT was released in December of that year, as document N065. That presentation contained what Oxebridge calls the “Ur-Text” of what would later become official talking points on RBT repeated the world over, including the ideas that “risk-based thinking has always been implicit in ISO 9001.” and “risk-based thinking is something we all do automatically and often sub-consciously.” Despite many consultants subsequently claiming they either invented risk-based thinking, or were practicing it decades earlier, the term never existed prior to the CD draft of ISO 9001:2015, published in 2013.
One month after the December ISO presentation, in January 2014, US TAG to TC 176 member Jack West gave a presentation to the Houston ASQ section using another presentation, ISO document N1195, which repeated, verbatim, the talking points from the December file, and went into some additional details on interpretation. It is not clear if Jack West created the presentation’s materials, or was merely reading it to the Houston group, but the slide notes do appear to be written by West. That presentation included a slide which attributed the changes being made to ISO 9001:2015 to considerations including “the results of an extensive web-based user survey“:
Nowhere in the Jack West presentation is any other rationale given for the inclusion of risk-based thinking, leading the audience to believe it was included because of the reasons shown above, including the user survey; however, the “talking points” appear to have crystallized by this time, likely the result of a November 2013 plenary meeting of SC2 in Porto, Portugal.
A few months prior to the Jack West presentation, in August of 2013, another official ISO presentation was given to an unspecified audience. This document, number N062, included the same language about considerations as shown in the West slide, but lacked any of the risk-based thinking language of the December 2013 presentation. This provides additional evidence that the talking points on RBT had not yet been developed in August, but by December had become official.
The August 2013 presentation includes another slide (slide 22) which is, perhaps intentionally, missing from all presentations thereafter: a slide of the ISO 9001 User Survey results, which demonstrably prove that users were not demanding risk be included as their top priority, but instead three other issues: “resource management“, “voice of the customer“, and “systematic problem solving an learning“. All three of those were ignored entirely by TC 176, while risk-based thinking was given priority. Furthermore, the fourth highest ranked desire read “integration of risk management,” something that was rejected by TC 176. The committee instead opted to invent “risk-based thinking” as a way to avoid invoking full-fledged risk management, and instead create a “light” version of risk that was simultaneously a hybrid with preventive action.
“Knowledge management” was another subject requested by survey respondents, which resulted in a new clause “Organizational Knowledge” being added to the standard. The request for “Measures (performance, satisfaction, ROI” was largely ignored, addressed only by re-worded language from the previous ISO 9001:2008 version, with ROI left out entirely. There is no mention at all in the User Survey of any discontent with “preventive action,” a point routinely made by TC 176 to justify RBT, as it intended to address risk while “fixing” preventive action.
The very next slide of the August presentation, slide 23, however, shows how TC 176 was already skewing the results to achieve the goal they wanted, which was to include risk in ISO 9001, no matter what. On that slide, it lists “world-wide survey key user inputs” as including “tools and risk management,” contradicting the data on the preceding slide. In fact, “supporting quality tools” ranked last in all the suggested considerations, shown on slide 22.
A copy of the User Survey 2010 results can be downloaded here. In that survey, the choices that users could select for future considerations were hardcoded into the survey as check-box options, and not manually suggested by the respondents themselves. The document’s metadata shows it was last edited by George Hummel, of the US TAG to TC 176. All the presentations follow a template created by Cisco Systems, the employer of then-US TAG Chair Alka Jarvis, a friend of Hummel. Alka Jarvis was praised by ISO for her work on the Survey, so it appears she worked on the questions, as well as the final reporting, with Hummel. George Hummel has been a vocal critic of Oxebridge, calling its founder Christopher Paris a “shit thrower” and publicly calling for a boycott of Oxebridge.
The June 2013 CD of ISO 9001 includes introductory text that clearly positions the invention of RBT as a result of the imposition of Annex SL, and not User Survey demand:
d) Risk and Preventive Action
Annex SL, Appendix 2 High Level Structure and core text does not include a clause giving specific requirements for ‘preventive action’. This is because one of the key purposes of a formal management system is to act as a preventive tool. Consequently, the High Level Structure and Identical text require an assessment of the organization’s ‘external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s)’ in clause 4.1, and to ‘determine the risks and opportunities that need to be addressed to: assure the quality management system can achieve its intended outcome(s); prevent, or reduce, undesired effects; achieve continual improvement.’ in clause 6.1. These two sets of requirements are considered to cover the concept of ‘preventive action’, and also to take a wider view that looks at risks and opportunities. This approach is continued in the discipline specific text added to the Annex SL core text to require risk based thinking and a risk driven approach to preventive action throughout the development and implementation of the quality management system. This has also facilitated some reduction in prescriptive requirements and their replacement by performance based requirements. Although risks have to identified and acted upon there is no requirement for formal risk management.
Original text from version 2.2 of the CD of ISO 9001:2015, June 2013
Furthermore, when the User Survey was first published by ISO in December 2011, Alka Jarvis reported the data without mentioning risk management at all. Instead, Jarvis reported, “of 6,299 responses, 75% considered resource management as the most important concept to incorporate into ISO 9001, closely followed by “voice of customers”. She goes on to summarize that “many respondents suggested that, while major changes were not required, improvements could be made to [ISO 9001.] In the January 2015 Jack West presentation, this idea is reworded entirely, framing major changes being driven by “key user demand”, saying, “ISO 9001, as it is, must change to continue to be relevant.” (See slide 23 above.) That is an intentional falsification of the data from the User Survey itself, and contradicts Jarvis’ initial report.
The presentations provide a glimpse at a timeline ISO has otherwise tried to obscure. ISO User data clearly showed the public was not desirous of significant change, nor of introducing risk management, nor of removing preventive action. Instead, these actions were prompted by the imposition of Annex SL by the non-elected ISO Technical Management Board as early as 2011. By March of that year US TAG SC2 Chair Lorri Hunt had already begun giving $1,000 per attendee speeches on the subject, pointing to an immediate acquiescence by TC 176 to the Annex SL mandate. At no point does there appear to have been a formal, critical comparison between the actual User Survey data of 2010 and the Annex SL imposition of 2011; ironically, at no point does it appear that TC 176 conducted any risk assessment itself on pursuing compliance with Annex SL and inventing RBT. Had there been, TC 176 might have pressed back on the TMB and rejected Annex SL; instead, TC 176 — with significant influence of the US TAG and Alka Jarvis — intentionally ignored the will of ISO 9001 users. They then proceeded to implement Annex SL and, by 2013, began working on an official “storyboard” of talking points with which to convince the public that risk-based thinking had been added by popular demand. Those talking points then distorted factual data and previous ISO documents in order to make the case for RBT.
Oxebridge has argued that risk-based thinking is inherently dangerous, in that it dilutes formal risk management to a meaningless state, and in conjunction with the removal of formal, robust preventive action measures, is likely to increase risks related to product and service quality, and thus increase risk to the public.
