ISO’s Technical Committee 176 has created a concept called “risk based thinking” and is planning to introduce it later this year, when the next edition of ISO 9001 — ISO’s flagship standard — is released. The usual suspects are touting this as a long-awaited improvement to ISO 9001; by this I mean ISO, the registrars, and a few consultants who are writing articles about “RBT” as if it has existed for decades, and who are claiming retroactive mastery over it.
But the truth is that not only has RBT never existed, it’s creation was a concession. ISO became enamored with risk management after the architects of ISO 31000 — a far superior, if still flawed, standard — gained favor with key members of ISO’s corner offices. By this I specifically mean the obscure, but powerful, Technical Management Board (TMB). The TMB is the oversight body over all ISO Technical Committees, and thus tells the TCs what to do, and what not to do.
Politics and personalities pushed the TMB to decide to incorporate risk into all its management system standards, a move we can argue the merits of separately. This move may have violated basic ISO procedure (and possibly WTO regs) as it meant the TMB — which is not a consensus-driven committee, but one comprised of 15 nonelected “permanent” members — was dictating content to its TC’s, and not merely structure.
So suddenly TC 176 was told to include “risk” in its next edition of ISO 9001. But the quality management professionals in TC 176 were not risk management professionals, and know almost nothing of actual RM. Simultaneously, they faced a problem with a legacy requirement of “preventive action” that ISO 9001 companies had struggled to understand. Rather than clean up the language on preventive action, TC 176 killed two birds with one stone. They re-branded preventive action as “risk-based thinking” and thus were able to tell the TMB they had met their mandate to include risk.
Meanwhile, ISO 9001’s RBT doesn’t include any actual requirements: no records, procedures, processes nor evidence. One need merely “think” about risk, and you’re done. Remember that ISO 9001 is intended for third party assessment, so it’s not clear how anyone will prove, or disprove, “thinking about risk.”
The fallout for risk managers is that now we have the quality profession claiming sudden mastery over risk management, and retroactively claiming they’ve been experts all along. They know nothing of the problems and controversies within the RM community, and are like children driving their dad’s new car. Blind children.
This stands to injure both professions. When ISO 9001’s RBT proves a costly, ineffective mess, both quality managers and risk managers will be tarred with the blame. When processes don’t improve, and products like air bags continue to explode like hand grenades in people’s cars, there will be a lot of finger pointing.
ISO 9001 should have left risk management out altogether, or gone “all in” and just referenced ISO 31000 as a normative document. Instead, it took half-measures, and has doomed both professions.