Part 3: RBT in Practice

(For Part 1, click here; for Part 2, click here.)

To recap, so far we’ve conducted a COTO (context of the organisation) exercise which helped us better understand our company, its stakeholders and the things they may find important. We then tailored our understanding of the concepts of “risk” and “opportunity” to something that makes practical sense. Finally, we will use this information to determine the risks facing the company and how to manage them.

One important thing to consider: the ISO 9001:2015 standard specifically uses the phrase “determine” your risks. Many CB auditors and pundits have already misinterpreted this as saying you must “document” or “record” them; but “determining” is not equal to “documenting”, so they are wrong. If TC 176 had wanted you to document them, they would have said so; instead they did include the word “thinking” however, so in the strictest sense you can “determine” your risks merely by thinking about them. Yes, it’s insane, but it’s literally true.

What does this mean in a practical sense? This means you also get to decide how to “determine” the risks. This article just presents one possible way, and it doesn’t pretend to be the only way.

Converting Issues to Risks and Opportunities

Risks are everywhere, and naming every one of them is like naming all the stars in the sky.  So what risks do you consider? The standard does give some pointers, thankfully. Clause 6.1.1 says you must “determine the risks and opportunities that need to be addressed to:

  • give assurance that the quality management system can achieve its intended result(s);
  • enhance desirable effects;
  • prevent, or reduce, undesired effects;
  • achieve improvement

But those are vague concepts in and of themselves, so they are only hints. You are going to have to take those hints, run them through the filters of the COTO exercise outputs, and come up with actual risks you can take a bite out of.

I like tables, so I am going to recommend another table; I call this an “Issues Log.”  It may look like a traditional risk register, but it’s not, at least not yet; if you elect to create a risk registry later, you can cut and paste data from this table into it. You can download a free, customizable version of this table (MS Excel 2013 format) here. (Right click, and select “Save As.”)


Using this table, you will copy the information from your previous exercises into it. The Excel version provides drop-down lists for most of the columns to make filling it in a bit faster. A few explanations:

“Bias” refers to whether the issue is inherently negative (a risk) or positive (an opportunity.) Now you see why re-defining “risk” (as we discussed in Part 2) is important.

“Processes Affected” refers to the key (core processes in your organization which you should have already identified. The RBT activities should become part of your process approach, so tying each issue to at least one related process is important.

“Priority” allows you to prioritize the issues; this might then carry over into any prioritization used in the risk treatment itself.

“Treatment Method” would be a reference to the preferred method used to process the issue. For many negative risks you may opt for FMEA, but for others you would not. The Excel file provides a drop-down list of about 30 different risk treatment methods, from ISO 31010 Risk Management – Risk Assessment Techniques; you can likewise add your own.

“Record Reference” would be where you indicate the associated records or files related to the risk treatment; this could be a CAR number, a FMEA reference number, a report number… whatever. But the Issues Log should link to where the user can find more information.

To fill this out, you go down your COTO tables and copy the data into this new Issues Log. Once you are done, you can then add additional risks and opportunities that you think of outside of the COTO exercise. In fact, I recommend you hold a special management-level meeting to help populate this Issues Log.

Once it’s complete — and keep in mind, this is a living document that will be updated as conditions change — you can then use this to drive a number of ISO 9001 related activities:

  • Use the information to update the company’s Strategic Direction
  • Use the information to update the internal audit schedule
  • Use in Management Review as an overall risk thinking tool
  • Use to populate a formal risk registry

You may wish to upload this to a central server so that employees can add to it as they like; this encourages participation by your staff in the risk thinking activities.

On its own, however, the Issues Log doesn’t fully meet all the requirements of RBT. Instead, it has helped you “determine” the risks and opportunities as required by ISO 9001:2015.

Risk Based Vaporware

Once you’ve identified your risks, ISO 9001 then goes on to require the following:

6.1.2 The organization shall plan:
a) actions to address these risks and opportunities;
b) how to: integrate and implement the actions into its quality management system processes [and] evaluate the effectiveness of these actions.

The first in that list (take “actions to address” the risks) is ISO’s way of saying you need to conduct some form of assessment and treatment; but ISO didn’t want to use those words, lest they be seen as prescriptive. Formal risk assessment and risk treatment is not required, but you have to do something.

This is where the 9001:2015 standard fails: it wants to have its users adopt risk management, but is so terrified (and ignorant) of formal risk management, it tries to avoid using the terms directly. (There were also a lot of politics in play, and TC 176 didn’t want to step on the toes of TC 262 on risk management, the guys who publish ISO 31000.) The end result is a vague set of words that actually mean nothing, and provide no direction whatsoever on how to meet the requirement. I call this a “required non-requirement” in that it requires something, but says nothing.

So, in a practical sense, you have to do some “action” that — for the purposes of this article, anyway — we will call “risk assessment” and “risk treatment.” But these activities may not always look like the traditional assessments and treatments, and may not be applicable to all the risks or opportunities you identified.

Risk-Based Fortune Telling

I hate that I have to use the term “risk assessment” because ISO 9001 doesn’t officially require this, but lacking any other term, it will have to do. As you will see, I am not suggesting the full gamut of formal risk assessment methods commonly used by risk management professionals. If you like, we can call it “risk evaluation” or “risk consideration.” Maybe “risk divination.” I don’t care.

The dirty secret in the risk management profession is that it’s all based on guesswork. Any risk assessment is just making guesses and then assigning numbers to make it look like science. It’s closer to Tarot card reading than physics, but no risk manager will ever admit it.

So here’s what we do, in the real world. Taking your Issues Log, you will determine the best risk treatment method for the given risk or opportunity and apply it.

  • If the risk treatment is FMEA (or similar), then this method includes the risk assessment within the treatment. Run the FMEA and you’re done.
  • If the risk treatment method is something else, this may require two steps: first, evaluate (assess) the risk in some way and then determine the course of action to take. This may mean simply writing the evaluations and actions in a simple text document and filing it, or it may require more formal activities and records — you get to decide.

I’m no fan of FMEA when using it for every type of risk, but if you want something that is a bit more flexible, but which still looks like an FMEA, consider downloading this free Excel file. (Right click, and select “Save As.”) This also acts as a risk registry of sorts (and that’s what it’s called.)

Whatever method you use, it has to comply with the next “required non-requirement” of ISO 9001, which says the you must

… integrate and implement the actions into its quality management system processes [and] evaluate the effectiveness of these actions.

If you have used a traditional, formal tool (like the FMEA or any of the treatments listed in ISO 31010), your job is done; these tools effectively meet this requirement.

But if you’ve elected to use a nontraditional method, or simply are explaining your actions in a prose text file, then just be sure the text explains clearly (1) identifies the risk, (2) evaluates the risk, (3) defines a risk action and (4) evaluates the actions taken. Here’s what that might look like in a simple typewritten example:riskexercise1

This meets all the requirements of ISO 9001:2015’s risk-based thinking without using a single spreadsheet, complicated FMEA or any other traditional method, and can he upheld during audits if you clearly point out the four elements.

Managing Opportunities

Opportunities are the alleged positive side of risk, as we discussed. They are not managed to mitigate (minimize) them, but instead the opposite — you want to maximize the likelihood and impact of opportunities. Therefore while you can use all the same steps in RBT, when you reach the treatment step you will have to select different tools or approaches. Often the “prose” format is best, otherwise you will have to create a risk register that calculates opportunities in the opposite manner of risks, ranking them based on how well you can exploit the opportunity, as opposed to how well you can minimize the risk. Another great option for managing opportunities is SWOT, but it is not easy for the beginner.

Recap and Moving Forward

So, to recap, you use the COTO exercise to identify your stakeholders and their issues. You use this to help identify your risks and opportunities, and then collect them into some format to assess them. That assessment should include the determination of a risk treatment method specific to that risk, since no one tool can be used in all cases. Then you take actions to reduce the risk, evaluate the actions, and keep a record of the whole thing to prove it later.

The flexibility of the vague language of ISO 9001:2015 can be used to your benefit, allowing you to do whatever you like to meet these requirements. But at the same time, this will cause headaches for CB auditors who are expecting to see the same thing from one client to another. Be prepared to defend your interpretations, definitions and approaches. While the standard doesn’t officially require records of risk actions, you should maintain them for your own internal reference, but also to prove to the CB auditor that you’ve actually done something.

Like this topic? Book Christopher Paris for a speaking event at your organization on Practical Implementation of Risk-Based Thinking. Click here for more details.


About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.


ISO 17000 Series Consulting