Part 1: The COTO Exercise

I’ve made it clear I am no fan of the vague, peyote-sourced “risk based thinking” (RBT) language that TC 176 added to ISO 9001:2015, nor its clearly non-consensual “include risk or else” origins from a mandate by overcaffeinated ISO executives. The thing is, we’re stuck with it, and no amount of garment rending will undo it. I know, since I’ve rended all my garments, and am typing this naked.

Moving past that mental image (you’re welcome), if we must adopt RBT then it behooves us to figure out just how to do it in the best practical way possible, without falling into one of two traps:

  1. We don’t want to let the vague language of RBT in ISO 9001 translate into doing nothing
  2. We don’t want to let the growing chorus of ill-informed CB auditors have us overdo it, and apply FMEA to everything

COTO- context of the organizationInstead, the text of ISO 9001 tells us that it’s entirely up to the company to decide what level of risk consideration to adopt. And that’s great. But before we can do that, we have to tackle an entirely different clause of ISO 9001:2015 first, and it’s also new. This is the clause related to “context of the organization” (which I’m calling “COTO”, an abbreviation I am shoving the Oxebridge flag in so years later you know who invented it.) Anyone jumping into the risk clause without tackling COTO has missed an important step. This also proves how those FMEA-addicted auditors have no clue what they are talking about, since COTO will drive the decisions on which risk treatment methods to select.

COTO en Toto

Why COTO first? If we look at the first requirement in clause 6.1.1 related to risk, we find it pushes us back to COTO:

When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2…

What this means is that prior to doing any work on the RBT requirement, you have to first conduct what I call the “COTO exercise.” This is an activity that will take a little bit of time the first time, and then just gets updated periodically (perhaps annually) later on. So, just to repeat myself and see if my blog can still handle red bold italics, let me reiterate:

You cannot address risk-based thinking properly without considering the context of the organization first.

Fortunately, the COTO exercise is simple. This requires identification of four things:

  1. Identify your interested parties – who they are and what are their requirements and expectations
  2. Identify internal and external issues – based on # 1 above
  3. Define the scope of the QMS – based on # 1 and # 2 above
  4. Identify your processes within the QMS

Now a strict reading of the COTO clauses (4.1 through 4.4 of 9001:2015) has them in a different sequence. This is because TC 176 is dumb; they would have you identify the external issues first, and then identify the external stakeholders — which in the exact opposite of the way you would do this in real life. So I’ve re-ordered the steps, ignoring 9001:2015’s clause sequence.

Fight For Your Right to Party

Following these steps, you have to first identify stakeholders (“interested parties”) who either have an interest in your products or an interest in your quality system. This is a great addition to ISO 9001, the previous versions of which obsessed almost entirely with customers, but ignored almost anyone else who might care about your products of services. For example, many B2B companies sell products to another company, but the end user may actually be the public; under 9001:2015 we get to consider the end users, and not just the paying customer.

I recommend creating a simple table and then populating it, with the help of the senior management team and other company propellorheads. The table should look like this:


You will then think of all the groups of people who may be directly or indirectly impacted by your product or service, as well as those that have a direct or indirect impact on your QMS. For each identify whether they are internal (work for the company) or external (third parties.) Then define why those groups might have an interest.

Like much of ISO 9001, you get to decide who an interested party is. The only expected party would be your customers, and everything beyond that is entirely up to you.In most cases, however, this is going to include:

Internal Interested Parties

  • Employees
  • Other divisions of the company
  • Departments that may be outside of the QMS (legal, finance, etc.)

External Interested Parties

  • Customers
  • Suppliers / Vendors
  • Regulators
  • The public
  • Other end users of your product/service
  • Certification bodies
  • Competitors

Doing so, your list might start to look like this:


Once you have your interested parties identified, you can start to think about what each of those cares about, which brings us to the next step in the COTO exercise.

We’ve All Got Issues

Using the list above, you will then identify internal and external “issues.” These are concerns that the interested parties may have that directly or indirectly impact on your products, services and/or QMS. Again, a simple table is a great way to start:


(By the way, you can create a single spreadsheet that includes all of this in a sortable file. I’m just proposing these tables because it’s easier to discuss in a blog article.)

You would then begin the mental exercise of identifying the issues of concern. The good news is that ISO 9001:2015 gives us some pointers on where to start. The Notes in clause 4.1 provide the following suggestions:

Internal Issues

  • values
  • culture
  • knowledge
  • performance

External Issues

  • legal
  • technological
  • competitive
  • market
  • cultural
  • social
  • economic

Once again, these are optional… you decide the issues of concern, not anyone else. Just try to imagine, however, what your interested parties might consider an issue of concern.

When you’re done, your table might start to look like this:


So why did I add a column for “bias?” After all, that’s not mentioned at all in the standard. The answer is simple: this will help you identify risks and opportunities later, as part of the risk-based thinking (RBT) exercise. So remember that point, because we will come back to it later.

Scope, Processes & Strategic Direction

The next two requirements for COTO are two that you’ve probably already done, if you had implemented ISO 9001 prior to the 2015 release. These are (1) defining the scope of the QMS, and then (2) defining the QMS processes. If you haven’t done this before, well, they are not terribly complicated exercises, but far beyond the scope of this article. If you’ve identified interested parties and issues of concern, you have enough to begin taking a bite out of risk-based thinking. Your QMS scope and QMS processes will help in this regard.

From all of this information — stakeholders, issues, scope and processes — you now can do a few things. One of these will be to define the “strategic direction” of the company (see new clause 5.1.1 as well as a few others). This is also out of scope for this article, but if already done would further assist in the RBT exercise; if the company hasn’t yet defined its strategic direction, don’t worry: it’s not a showstopper for RBT.

But relative to RBT, the COTO information will allow you to make informed decisions on the risks to consider in your organization, the risk tools to use for assessment of each, and the risk treatment methods.

Continued in Part 2: Defining Risk and Opportunity

Like this topic? Book Christopher Paris for a speaking event at your organization on Practical Implementation of Risk-Based Thinking. Click here for more details.




ISO 17000 Series Consulting