Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
articles:iso_9001_fails_at_redefining_risk [2019/11/10 18:05]
rrandall [ISO 9001 Management Review Records]
— (current)
Line 1: Line 1:
-====== A matter of "​risk"​ ====== 
  
-When it comes to defining the word "//​risk//",​ ISO has several competing definitions;​ in various "​official"​ ISO documents. And these are in further conflict with non-ISO industry standards As one would expect, these differences have created conflict within ISO and confusion amongst users. 
- 
-This article will discuss two of the most "​generally"​ used definitions. 
- 
-  - The first definition is that "​risk"​ can be positive, negative, or both. (a "​non-traditional"​ interpretation defined in ISO Annex SL, ISO 9000, ISO 14001, ISO 19011:2018, ISO 31000 & ISO Guide 73) 
-  - The second definition is that "​risk"​ is always "​negative"​. (a traditional interpretation defined in ISO 13485, ISO 45001, API Spec Q1)  ​ 
- 
-While ISO promotes (through marketing) that “//the world agrees//” on ISO standards, in reality, committee work is often contentious. Many ISO standards are adopted through compromise (lose-lose),​ rather than collaboration (win-win). And when it comes to defining the word "​risk",​ there is little agreement. 
- 
-{{ :​articles:​iso-when_the_world_compromises.png?​nolink&​800 |}} 
-===== Non-Traditional Definition of Risk ===== 
-==== ISO 9000:2015 ==== 
-When ISO 9001:2015 replaced the concept of “preventive action” with the more expanded “risks and opportunities” (in section 6.1), a definition for “risk” was added to the ISO 9000:2015, “//​Quality management systems–Fundamentals and Vocabulary//​” as. 
- 
-<​blockquote>​**ISO 9000:2015** \\ 
-3.7.9 risk \\ 
-effect of uncertainty 
- 
-Note 1 to entry: An effect is a deviation from the expected — positive or negative. \\ 
-Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information (3.8.2) related to, understanding or knowledge of, an event, its consequence,​ or likelihood. \\ 
-Note 3 to entry: Risk is often characterized by reference to potential events (as defined in ISO Guide 73:2009, 3.5.1.3) and consequences (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these. \\ 
-Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (as defined in ISO Guide 73:2009, 3.6.1.1) of occurrence. \\ 
-Note 5 to entry: The word “risk” is sometimes used when there is the possibility of only negative consequences. \\ 
-Note 6 to entry: This constitutes one of the common terms and core definitions for ISO management system standards given in Annex SL of the Consolidated ISO Supplement to the ISO/IEC Directives, Part 1. The original definition has been modified by adding Note 5 to entry. 
-</​blockquote>​ 
- 
-Understanding of this short definition can be clarified through substituting the word "​effect",​ with one of its synonyms: consequence,​ outcome & result. Consequently,​ the committee for ISO 9000:2015 asserts that "​risk"​ is a consequence,​ outcome, or result of uncertainty. 
- 
-This broad definition is very similar to the word: "​**//​possibility//​**"​ 
- 
-"Note 1" then "​re-defines"​ the word "​effect"​ to "//a deviation from the expected — positive or negative//"​. 
- 
-This does two things. First, adds a slight nuance to the meaning by excluding the "​expected"​ outcome from all of the other possibilities. All it really does is exclude a "sure thing" (i.e., absolutely no "​risk"​ of failing to achieve the expectation). 
- 
-This enhanced definition is very similar to the term: "​**//​unexpected possibilities//​**"​ 
- 
-However, what if there were no expectations,​ but instead, a "//​hope//"​ or "//​preference//"?​ 
- 
-Second, the addition of "//​positive or negative//"​ clarifies that the "​possibilities"​ include both "//​desired//"​ or "//​undesired//"​ effects (consequences,​ outcomes & results). 
- 
-An example of "​positive"​ vs "​negative"​ risks from a book written by the conveners of ISO 9001:2015 follows: 
- 
-<WRAP center round box 80%> 
-Consider a baseball game where your team is down by a run at the bottom of the 9th inning and the bases are loaded with two outs. \\  
-Negative risk - the batter will strike out and your team will lose the game. \\ 
-Positive risk - the batter will score a couple of runs and your team will win the game. 
-</​WRAP>​ 
- 
-In the above example, there is an implied "//​hope//"​ or "//​preference//"​ for the "​positive"​ risk. 
- 
-The 4-minute video below explains "​Positive vs. Negative Risks on Projects":​ 
- 
-{{ youtube>​pRUF2Uwu62U?​large }} 
- \\ 
-However, "Note 5" states that the word “risk” is "​sometimes"​ used when there is the //​possibility//​ of only negative consequences (i.e., a "​positive"​ consequence is impossible). In other words, ANY outcome other than the one "​expected",​ will be negative. 
- 
-<​note>​ISO 14001:2015, "//​Environmental management systems — Requirements with guidance for use//",​ sec. 3.2.10 contains an identical definition for "​risk"​ EXCEPT that it does not include Note 5 & 6.</​note>​ 
-==== ISO Guide 73:2009 ==== 
-Now that we understand how ISO 9000:2015 has defined risk, and since it contains several references to ISO Guide 73, "//​Risk management — Vocabulary//"​ (which was reviewed and confirmed in 2016), let's take a look at they are different from one another. 
- 
-<​blockquote>​**ISO Guide 73:2009** \\ 
-1.1. risk \\ 
- 
-- effect of uncertainty on objectives 
- 
-NOTE 1 An effect is a deviation from the expected — positive and/or negative. \\ 
-NOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide,​ project, product and process). \\ 
-NOTE 3 Risk is often characterized by reference to potential events (3.5.1.3) and consequences (3.6.1.3), or a combination of these. \\ 
-NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (3.6.1.1) of occurrence. \\ 
-NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence,​ or likelihood. 
-</​blockquote>​ 
- 
-The expanded definition to include "//​objectives//"​ (i.e., "​effect of uncertainty __on objectives__"​) is negligible because it is equivalent to ISO 9000:2015, “Note 1” using the word “ expected” (i.e., “a deviation from the __expected__ — positive or negative”). 
- 
-Just as ISO 9000:2015 excludes the “expected” outcome from all of the other possibilities,​ ISO Guide 73:2009 excludes the “objectives” from all of the other possibilities. As stated above, all it really does is exclude a “sure thing” (i.e., absolutely no “risk” of failing to achieve the expectation). 
- 
-However, a significant difference appears in "NOTE 1" in ISO Guide 73:2009. While ISO 9000:2015 "Note 1" uses the word "//​or//"​ (indicating either "​positive"​ OR "​negative"​ effects from a risk, but NOT both), ISO Guide 73:2009 "NOTE 1" uses "//​and/​or//"​ (indicating that there could simultaneously be both "​positive"​ AND "​negative"​ effects from a risk). 
- 
-The significance of this differentiation may be minor. Perhaps ISO Guide 73:2009 was simply attempting to expand the definition to include absolutely any combination of possibilities. If that is the case, then one must wonder why the committee responsible for ISO 9000:2015 consciously decided to limit/​restrict those possibilities through using the word "//​or//"​. 
-==== ISO 31000:2018 ==== 
- 
-While ISO 31000:2018, “//Risk Management–Guidelines//​” has the exact verbatim definition for "​risk"​ as ISO Guide 73:2009, "//​Risk management — Vocabulary//",​ it has a greatly expanded "Note 1". 
-  
-<​blockquote>​ISO 31000:2018 \\ 
-3.1 risk \\ 
-effect of uncertainty on objectives \\ 
- 
-Note 1 to entry: An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats. \\ 
-Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels. \\ 
-Note 3 to entry: Risk is usually expressed in terms of risk sources, potential events, their consequences and their likelihood.</​blockquote>​ 
- 
-While the first sentence of ISO 31000:2018, "Note 1" is exactly the same as ISO 9000:2015, "Note 1", the second sentence begins by maintains consistency with ISO Guide 73:2009 through reinforcing that the outcome "//can be positive, negative or both,​...//"​. The sentence then states that the consequence,​ outcome, or result "//can address, create or result in opportunities and threats//"​.  ​ 
- 
-{{ :​articles:​two-sides-of-risk-coin-graphic-900x600.png?​nolink&​400|The two sides of the Risk coin}} 
-At this point, "Note 1" becomes nonsensical because there is no definition or use of the word "​address"​ relating to a consequence,​ outcome, or result. So for the moment, let's ignore the use of that words and focus on how ISO 31000:2018, "Note 1" states that a "​risk"​ can "//​create or result in opportunities and threats//"​. ​ 
- 
-In effect, ISO 31000:2018 is stating that “opportunities and threats” are two sides of the same “risk” coin. 
- 
-It's important to note that risks typically result from an "​opportunity"​. For example, when presented with an investment "​opportunity",​ taking action could result in either a profit, a loss, or no change in value. While taking no action would preserve the current assets (no change), avoid loss, and forgo any profits that the investment would have yielded. This happens every day in the stock market. 
- 
-While none of the above ISO documents define "​opportunity",​ [[https://​www.dictionary.com/​browse/​opportunity|Dictionary.com]] does: 
- 
-<​blockquote>​Opportunity \\ 
-noun, plural op·por·tu·ni·ties. \\ 
-  - an appropriate or favorable time or occasion: (e.g., //Their meeting afforded an opportunity to exchange views.)// 
-  - a situation or condition favorable for attainment of a goal. 
-  - a good position, chance, or prospect, as for advancement or success. 
-</​blockquote>​ 
- 
-Ultimately, ISO 31000:2018 appears to be promoting the concept of layered contingency planning based upon the various unexpected possibilities;​ both positive and negative (desired and undesired effects). 
- 
-As we can see, there are differences between ISO Annex SL, ISO 9000:2015, ISO 14001:2015, ISO 31000:2018 & ISO Guide 73:2009 regarding the concept of "​risk";​ whether it be through the definitions or clarification notes provided. 
- 
-===== Traditional Definition of Risk ===== 
- 
-In order to truly understand the meaning of "​risk",​ we must examine the etymology of the word. 
- 
-Again, referring to [[https://​www.dictionary.com/​browse/​risk|Dictionary.com]]:​ 
- 
-<​blockquote>​WORD ORIGIN FOR RISK \\ 
- 
-C17: from French risque, from Italian risco, from rischiare to be in peril, from Greek rhiza cliff (from the hazards of sailing along rocky coasts) 
-</​blockquote>​ 
- 
-And, referring to the [[https://​www.etymonline.com/​word/​risk|Online Etymology Dictionary]]:​ 
- 
-<​blockquote>​risk (n.) \\ 
- 
-1660s, risque, from French risque (16c.), from Italian risco, riscio (modern rischio), from riscare "run into danger,"​ of uncertain origin. The Englished spelling first recorded 1728. Spanish riesgo and German Risiko are Italian loan-words. With run (v.) from 1660s. Risk aversion is recorded from 1942; risk factor from 1906; risk management from 1963; risk taker from 1892. 
-</​blockquote>​ 
- 
-As we see, the word "​risk"​ has always been associated with "​hazards"​ or "​danger";​ and something to be avoided. 
- 
- 
-==== ISO 13485:2016 & ISO 14971:2007 ==== 
-Both ISO 13485:2016, "//​Medical devices — Quality management systems — Requirements for regulatory purposes//"​ and ISO 14971:2007, 
-"//​Medical devices — Application of risk management to medical devices//"​ maintain a definition of "​risk"​ consistent with the etymology of the word. 
- 
-<​blockquote>​ 
-**ISO 13485:​2016** \\ 
-3.17 risk 
-combination of the probability of occurrence of harm and the severity of that harm 
- 
-Note 1 to entry: This definition of “risk” differs from the definition given in ISO 9000:2015 
- 
-[SOURCE: ISO 14971:2007, 2.16]</​blockquote>​ 
- 
-==== ISO 45001:2018 ==== 
- 
-ISO 45001:2018, "​Occupational health and safety management systems — Requirements with guidance for use" takes an interesting,​ if not confusing approach toward "​risk"​. First, ISO 45001:2018, sec. 3.20 defines "​risk"​ the same as ISO 9000:2015, although with slightly modified notes. Then it shifts to a traditional definition when specifically applied to "​occupational health and safety"​. 
- 
-<​blockquote>​**ISO 45001:​2018** \\ 
-3.21 occupational health and safety risk (OH&S risk) \\ 
-combination of the likelihood of occurrence of a work-related hazardous event(s) or exposure(s) and the severity of injury and ill health (3.18) that can be caused by the event(s) or exposure(s)</​blockquote>​ 
- 
-Keeping the Annex SL definition for "​risk"​ while also keeping their own definition for "​occupational health and safety risk (OH&S risk)" was obviously a compromise to satisfy ISO. Also, the above definition for "​occupational health and safety risk (OH&S risk)" is very similar to the definition for "​risk"​ found in one of the source documents referenced, OHSAS 18001:2007, "//​Occupational health and safety management systems//"​. 
- 
-<​blockquote>​**OHSAS 18001:​2007** \\ 
-3.21 risk \\ 
-combination of the likelihood of an occurrence of a hazardous event or exposure(s) and the severity of injury or ill health (3.8) that can be caused by the event or exposure(s)</​blockquote>​ 
- 
-ISO 45001:2018 also has a separate definition for "​opportunity"​. 
- 
-<​blockquote>​**ISO 45001:​2018** \\ 
-occupational health and safety opportunity (OH&S opportunity) \\ 
-circumstance or set of circumstances that can lead to improvement of OH&S performance (3.28)</​blockquote>​ 
- 
-==== API Spec Q1 ==== 
-While not an ISO document, [[https://​www.monogramwebstore.org/​publications/​item.cgi?​7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1, Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry"​ (Ninth Edition, June 2014)]], published by the [[https://​www.api.org|American Petroleum Institute (API)]], also contains a traditional definition for "​risk"​ that is far superior to any definition offered by ISO.  
- 
-<​blockquote>​**API Spec Q1** \\ 
-3.1.19 risk \\ 
-Situation or circumstance that has both a likelihood of occurring and a potentially negative consequence.</​blockquote>​ 
-===== The ISO 9001:2015 Conundrum ===== 
- 
-If the authors of ISO 9001:2015 had subscribed to the views expressed in ISO 9000:2015, "Note 1", then they would simply have used the word "​risk"​ rather than repeatedly stating “//risks and opportunities//​” as two separate concepts throughout the standard (in sections 4.4f, 5.1.2b, 6.1, 9.1.3e, 9.3.2e & 10.2.1e). ​ 
- 
-Interestingly,​ ISO 14001:2015, "//​Environmental management systems — Requirements with guidance for use//" also adopted this approach. And while not defined in ISO 9000:2015 or ISO 9001:2015, the term "risks and opportunities"​ is defined in ISO 14001:2015. 
- 
-<​blockquote>​**ISO 14001:​2015** \\ 
-3.2.11 risks and opportunities \\ 
-potential adverse effects (threats) and potential beneficial effects (opportunities) 
-</​blockquote>​ 
- 
-{{ :​articles:​confused_thoughts.png?​nolink&​400|}} 
-For those who subscribe to the interpretation provided in "Note 1", “risks and opportunities” is an incongruous term BECAUSE "​opportunities"​ are included in "​risks"​. Therefore, it appears that the authors subscribed to the views expressed in ISO 9000:2015, "Note 5" AND the definition provided in ISO 14001:2015; that "​risks"​ are "​potential adverse effects (threats)"​ and opportunities are "​potential beneficial effects). 
- 
-Consequently,​ this has created a conundrum for users over how to properly address "​risk"​. 
- 
-==== Is the use of "​Preventive Action"​ still valid? ==== 
- 
-While many organizations continue to use the term “preventive action” to address “negative risks"/​threats (e.g., because it was embedded into their corrective action forms, databases, etc.), it fails to address "​positive risks" and "​opportunities"​. 
- 
-Even though use of “preventive action” is still permitted to address “negative risks"/​threats,​ many ISO 9001 and AS9100:2016 registrars are //​encouraging//​ their clients to eliminate use of the term “preventive action” and adopt the term “risks and opportunities” to ensure that both “threats” and “opportunities” are addressed within their QMS. 
- 
-However, this presents challenges because other industry standards, such as ISO 13485:2016, “//​Medical Devices — Quality management systems — Requirements for regulatory purposes//​”,​ ISO 17020:2012, “//​Conformity Assessment — Requirements for the operation of various types of bodies performing inspection//​” (Option A) and AAR M-1003:​2019,​ Section J, "//​Specification for Quality Assurance//​”,​ and [[https://​www.monogramwebstore.org/​publications/​item.cgi?​7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1, Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry"​ (Ninth Edition, June 2014)]], all specifically require “preventive action” to be included in the QMS. 
-==== ISO 9001 Management Review Records ==== 
- 
-The only "​record"​ regarding “risks and opportunities” specified in ISO 9001:2015, is in sec. 9.3, "​Management Review"​. This includes: 
-<​blockquote>//​9.3.2 Management review inputs \\ 
-The management review shall be planned and carried out taking into consideration:​ \\ 
-e. the effectiveness of actions taken to address risks and opportunities (see 6.1); \\ 
-f. opportunities for improvement.//​ </​blockquote>​ 
- 
-Here again we see where ISO 9001:2015 is consistent with ISO 9000:2015, "Note 5" in considering "​risks"​ as only "​threats"​ by addressing "​opportunities"​ separately (in 9.3.2e). And then specifically requiring the organization to consider "//​opportunities for improvement//"​ (in 9.3.2f), as if they were somehow excluded from the opportunities identified in 9.3.2e (as defined in ISO 14001:2015 3.2.11)! 
- 
-Due to the ambiguous/​vague nature of the requirement,​ the "​Management Review Meeting Minutes"​ could include a statement as simple as: "//All of the actions taken to address risks and opportunities were determined by management to be effective.//"​ 
- 
-<note tip> 
-Many ISO 9001:2015 consultants recommend the creation of a SWOT Analysis. While limited in their usefulness, a SWOT Analysis can provide: ​ 
-  * some great talking points relating to "//​external and internal issues//"​ (ISO 9001:2015, sec. 4.1), 
-  * useful information to help to "//​determine the risks and opportunities that need to be addressed//"​ (ISO 9001:2015, sec. 6.1.1), 
-  * evidence that management has "​considered"​ 9.3.2b, "//​changes in external and internal issues that are relevant to the quality management system//"​ (when incorporated into the management review meeting minutes). \\ 
-{{ :​articles:​swot_analysis_table_551x422.png?​nolink&​400 |}} 
-</​note>​ 
- 
-Further, ISO 9001:2015, sec. 9.3.3 "​Management Review Outputs"​ states (with an additional requirement added to AS 9100:2016, shown in **BOLD** below): 
-<​blockquote>//​9.3.3 Management Review Outputs \\ 
-The outputs of the management review shall include decisions and actions related to: \\ 
-a. opportunities for improvement;​ \\ 
-b. any need for changes to the quality management system; \\ 
-c. resource needs; \\ 
-**d. risks identified.**//​ \\ 
- \\ 
-The organization shall retain documented information as evidence of the results of management reviews.</​blockquote>​ 
- 
-It is critical to note that sec. 9.3.3 is not simply a management review agenda topic. This section specifically requires the inclusion of any "//​decisions and actions//"​ taken (or initiated) by management. However, it is interesting to note that the "//​decisions and actions related to opportunities for improvement//"​ is limited in ONLY addressing opportunities related to "​__improvement__",​ specifically excluding "//​decisions and actions related to//" other opportunities"​. 
- 
-AS 9100:2016 expanded the requirement through adding 9.3.3d, which requires organizations to also address "//​decisions and actions related to risks identified//"​. Without knowing whether the authors of AS 9100:2016 subscribe to ISO 9000:2015 "Note 1" or "Note 5", we cannot definitively interpret 9.3.3d as including "//​...decisions and actions related to//" ALL of the “opportunities and threats” identified (as per "Note 1"); or as the "//​...decisions and actions related to//" ONLY the “threats” identified (as per "Note 5"). 
-===== Conclusion ===== 
- 
-One must wonder why ISO is so obsessed with redefining the word "​risk"?​ 
- 
-Upon examining the "​Bibliography"​ section of many ISO documents promoting non-traditional definitions of "​risk",​ we see that they only reference ISO or IEC documents (IEC is a sister organization of ISO): 
-  * ISO 9000:2015 (only references other ISO & IEC documents) 
-  * ISO 9001:2015 (only references other ISO & IEC documents) 
-  * ISO 14001:2015 (only references other ISO documents) 
-  * ISO 31000:2018 (only references a single IEC document) 
-  * ISO 19011:2018 (only references other ISO & IEC documents) ​ 
-  * ISO Guide 73:2009 (only references other ISO & IEC documents) 
- 
-It quickly becomes obvious that ISO is firmly entrenched in "Not Invented Here Syndrome"​ (NIHS). Wikipedia describes NIH as a stance adopted by social, corporate, or institutional cultures that avoids using or buying already existing products, research, standards, or knowledge because of their external origins and costs, such as royalties. The reasons for not wanting to use the work of others are varied, but some can include a desire to support a local economy instead of paying royalties to a foreign license-holder,​ fear of patent infringement,​ lack of understanding of the foreign work, an unwillingness to acknowledge or value the work of others, jealousy, belief perseverance,​ or forming part of a wider turf war. As a social phenomenon, this tendency can manifest itself as an unwillingness to adopt an idea or product because it originates from another culture, a form of tribalism. 
- 
- 
-However, unlike the above documents, ISO 13485:2016 also includes references to GHTF (Global Harmonization Task Force), which has been superseded by the  ([[http://​www.imdrf.org|International Medical Device Regulators Forum]]) documents 
- 
-Supporting this, there is nothing stated in either the "​[[https://​committee.iso.org/​files/​live/​sites/​tc176sc2/​files/​documents/​Interpretations/​ISO9001_2015_Approved_Interpretations.doc|ISO/​TC 176/SC 2 Listing of Approved Interpretations against ISO 9001:​2015]]"​ or "​[[https://​asq.org/​quality-resources/​iso-9001/​us-tc176|US TC 176 - TG22 - Interpretations]]"​ forbidding or restricting use of the "​preventive action"​ methodology. And ISO 9000:2015 continues to recognize "​preventive action"​ as a legitimate methodology (Ref. ISO 9000:2015, sec. 3.12.1). ​