As I’ve discussed ad nauseum, “risk-based thinking” was shoved into ISO 9001:2015 during a single weekend session in Portugal in the summer of 2013, as a means of satisfying a mandate by the ISO headquarters to “include risk” in one form or another in the new standard. Failure to do so risked having any draft issued by TC 176 rejected entirely by ISO, and even TC 176 itself disbanded. It was an empty threat, as evidenced by the ISO 13485 standard which rejected it and survived, but TC 176’s leadership didn’t know that at the time.

So in Porto, the TC 176 leaders dreamed up “risk based thinking” as a way to inject risk into ISO 9001 without invoking full-blown “risk management.” Leaders told me, on condition of anonymity, that this was done so as not to impact on the sales of ISO 9001, since small machine shops and mom-and-pop users of ISO 9001 would abandon their certification if it meant hiring degree risk managers and implementing complicated risk management systems. “Risk based thinking” was written as filler material in the Introduction and an Annex to placate the ISO HQ in Geneva; they then just copied and pasted the text from Geneva’s “Annex SL” mandate into clause 6.1. That’s it; it was literally finished in a few days. But a critical analysis shows the clause doesn’t actually require anything be done materially.

At the same time, TC 176 needed to come up with talking points to sell RBT to the masses. So a representative from BSI drafted a series of narratives that then became memes: “risk has always been implicit in ISO 9001” and “risk is something you do every day.” To illustrate the latter point, the “footbridge metaphor” was written, and then circulated all across the world. It goes like this:

Example: To cross the road I may go directly or I may use a nearby footbridge. Which process I choose will be determined by considering the risks. Crossing the road directly gives me an opportunity to reach the other side quickly, but if I take that opportunity there is an increased risk of injury from moving cars.

This oversimplification — some would say “dumbing down” — of risk management has been absorbed by ISO acolytes and users as overnight gospel, and then repeated over and over to the point of idiocy. Lost in the repetition is the fact that the Footbridge Metaphor doesn’t really discuss risk management, nor even risk-based thinking, at all. It actually leads to a nefarious end result that most companies understand is unworkable: risk aversion.

Laid out on a line, risk treatment options look something like this:Here the colors red, yellow and green represent a range of upsides and downsides for a typical organization. The best a company can do is mitigate a risk and convert it to an opportunity; that’s the green “sweet spot” in the middle. Accepting the risk isn’t great, and there’s a sliver of “red” disaster awaiting, but only a sliver. Risk avoidance may have some benefits, but loses the chance of converting the risks into opportunities altogether. Risk aversion, however, is nearly always bad; companies are crippled with paranoia, and cannot grow, cannot improve, and cannot develop.

The Footbridge Metaphor glorifies risk avoidance, while real risk managers know that “risk avoidance” is the treatment of last resort. If a given risk has the ability to generate a benefit if taken, or if a risk’s potential negative likelihood or severity can be reduced to make the risk more acceptable, then actions are taken accordingly. Anyone can try to “avoid” risk, but they would soon find out they never accomplish anything, and a culture of risk aversion is created.

Risk aversion is the worst form of risk avoidance, and is anathema to any mature corporate culture. Risk is everywhere, and largely unavoidable, so risk management seeks to tackle risks, subdue them, and even convert them into opportunities. A company that operates on a daily internal terror scale of “OMG!!” will get nothing done. In fact, it’s likely the company would have never formed to begin with.

Risk mitigation is the primary action taken, with risk avoidance a last resort. Allowing me to oversimplify now, risk mitigation are actions taken to reduce the likelihood and severity of a given risk, while (in some cases) maximizing the ability to detect the risk in the future. This makes risks manageable.

Under the Footbridge Metaphor, the suggestion made by the BSI idiot is not to mitigate the risk, but to select an entirely different process so you avoid it entirely. In fact, the “footbridge” option would suggest you use a less-efficient process, which is even worse!

A true risk manager would understand that that is not risk management, it’s risk avoidance. The Footbridge Model suggests you avoid the process with the risk entirely, and do something else. What if you can’t do something else? What if the something else is less efficient, and costs more money or resources?

According to ISO, this is a professional Risk Manager at work.

Real World Footbridges (Feetbridges?)

Let’s swap out the “footbridge” for a more realistic corporate problem: the selection of a given supplier. Whereas Deming and the others taught us to work on “mutually beneficial supplier relationships,” where we work with suppliers to improve their performance — through risk mitigation — ISO would just have you switch suppliers (swap out “street” for “footbridge.”) That oversimplification is idiotic.

It also doesn’t address the reality: what if there is no other supplier available? What do we do then, just go home? The easiest way to never have to deal with the problem of crossing the street is to never leave the house, so if you have problems selecting suppliers, perhaps you should just not do it all. Right?

Another example: imagine a manufacturing operation is giving you difficulty; let’s say “precision drilling.” Your machines are not operating to the necessary tolerances; the risk is that you will produce defective product as a result. Under the Footbridge Metaphor you would not work to improve the machines’ ability to hit tolerances, you would use another process entirely. But what other process can be used for precision drilling? Putting parts on a lathe? What if we are talking about circuit boards? What if there is no alternative option for the process? The Footbridge Metaphor doesn’t address that.

In fact, this “change the process” is hardwired right into the Footbridge Model. Read it again:

To cross the road I may go directly or I may use a nearby footbridge. Which process I choose will be determined by considering the risks.

Again, this is formalizing risk avoidance, not addressing risk management. To resolve the problem of the footbridge, a “real” risk manager would look for ways to mitigate the risk of the traffic hitting you. This would require changes to the process of crossing the street, not changing the process entirely to use the footbridge. And so we might install a traffic light, and then hire police to assist us in crossing; we might look for ways to rout traffic so there’s aren’t so many cars at that intersection which could hit pedestrians; we might wear a giant balloon-suit so that if we were hit, we’d just bounce around, unharmed. We might get out a shoulder-mounted missile launcher and destroy the cars before they came near, making it safe to cross. Well, maybe not that, but we wouldn’t just quit.

The Footbridge Metaphor is a glaring example of how the TC 176 and BSI “leaders” don’t understand the day-to-day realities of ISO 9001 users, because they either are decades removed from any practical employment in industry, or were never in it to begin with. The BSI folks, for example, are often career bureaucrats and committee members, just writing standards but never having to “eat their own dog food.” Worse, there wasn’t a single, actual professional risk manager on TC 176 (that I could find, anyway.) There were a lot of people who took on the mantle of “risk management expert” after the standard was published, but none with degrees on the subject nor any verifiable employment as a Chief Risk Officer.

So we have to be very wary of implementing ISO 9001:2015 and risk-based thinking while using this inane “Footbridge Metaphor.”

The truth is that risk management is difficult, and it’s also important to do right. Dumbing it down serves no one well, except for ISO’s sales department and the registrars, who sell certifications. But coupled with the removal of the preventive action clause from ISO 9001:2008, this actually increases the risk that user organizations will produce products that are defective and could harm the public, all while operating in “compliance” to ISO 9001 or worse, with a certification to it.

But risk management doesn’t mean you need to hire a full-blown, salaried risk manager either. The truth is somewhere in the middle, and will be different for each user organization. You must address the risks to the point that you’ve essentially done the best job you possibly can, but without going broke in the process. Simply “thinking” about risk won’t cut it.

For a more practical approach, be sure to download my free ISO 9001:2015 template kit which includes the “COTO Log” approach to tackling risk and opportunity (separately!) and doesn’t suggest you just stay in your home, huddled in fear, for the rest of your life.


    About Christopher Paris

    Christopher Paris is the founder and VP Operations of Oxebridge. He has over 25 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.