Preventive Action ≠ Risks and Opportunities?

While not mentioned in the original ISO 9001:1987, the term “preventive action” was introduced into ISO 9001:1994. Intended to be a simplistic, yet formalized proactive approach toward addressing “risks”, the new term created a great deal of confusion. This was primarily because the term wasn’t defined in the standard and users rarely purchased ISO 8402:1994, “Quality management and quality assurance–Vocabulary”.

With the release of ISO 9001:2000, ISO 8402 was renumbered and renamed to ISO 9000:2000, “Quality management systems–Fundamentals and Vocabulary”. The definition of “preventive action” is still present in ISO 9000:2015, and has remained unchanged since 1994 as:

preventive action
action to eliminate the cause of a potential nonconformity or other potential undesirable situation

Note 1 to entry: There can be more than one cause for a potential nonconformity.
Note 2 to entry: Preventive action is taken to prevent occurrence whereas corrective action is taken to prevent recurrence.

ISO 9001:2015 replaced the concept of “preventive action” with the more expanded “risks and opportunities” (in section 6.1). And a definition for “risk” was added to the ISO 9000:2015, “Quality management systems–Fundamentals and Vocabulary” as.

risk
effect of uncertainty

Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information (3.8.2) related to, understanding or knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential events (as defined in ISO Guide 73:2009, 3.5.1.3) and consequences (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (as defined in ISO Guide 73:2009, 3.6.1.1) of occurrence.
Note 5 to entry: The word “risk” is sometimes used when there is the possibility of only negative consequences.
Note 6 to entry: This constitutes one of the common terms and core definitions for ISO management system standards given in Annex SL of the Consolidated ISO Supplement to the ISO/IEC Directives, Part 1. The original definition has been modified by adding Note 5 to entry.

ISO 9000:2015, “Quality management systems–Fundamentals and Vocabulary”, “Note 1” states that risks can be positive or negative (i.e., “opportunities“ or “threats”); effectively establishing that “opportunities and threats” are two sides of the same “risk” coin. However, “Note 5” states that the word “risk” is “sometimes” used when there is the possibility of only negative consequences (i.e., a “positive” consequence is impossible). Since “Note 1” covers all possibilities, addressing both positive and negative risks, then “Note 5” serves absolutely no purpose; other than to acknowledge that there are those who disagree with the definition of “risk” including “positive” risks (i.e., opportunities).

Providing a similar definition consistent with ISO 9001:2015 “Note 1”, ISO 31000:2018, “Risk Management–Guidelines” also promotes the concept of “risk” being positive and/or negative (i.e., inclusive of “opportunities” and/or “threats”):

risk
effect of uncertainty on objectives

Note 1 to entry: An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.
Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.
Note 3 to entry: Risk is usually expressed in terms of risk sources, potential events, their consequences and their likelihood.

The definition provided in ISO 31000:2018 is identical to the definition provided in ISO Guide 73:2009, “Risk management–Vocabulary” (which was reviewed and confirmed in 2016), with slightly different notes to provide clarification (of their opinion)

As we can see, there are differences between ISO 9000:2015, ISO Annex SL, ISO 31000:2018 & ISO Guide 73:2009 regarding the concept of “risk”; whether it be through the definitions or clarification notes provided.

If the authors of ISO 9001:2015 had subscribed to the views expressed in ISO 9000:2015, “Note 1”, then they would simply have used the word “risk” rather than repeatedly stating “risks and opportunities” as two separate concepts throughout the standard (in sections 4.4f, 5.1.2b, 6.1, 9.1.3e, 9.3.2e & 10.2.1e). For those who subscribe to the interpretation provided in “Note 1”, “risks and opportunities” is an incongruous term. Therefore, it appears that the authors subscribed to the views expressed in ISO 9000:2015, “Note 5”; and that “Note 5” was added in protest to ISO Annex SL.

Consequently, this strongly implied preference for ISO 9000:2015 “Note 5” over “Note 1” has created a conundrum for users over how to properly address “risk”.

Compounding the issue, neither ISO 9001:2015, ISO 9000:2015, ISO 31000:2018 nor ISO Guide 73:2009 define the words “opportunity” and “threat”. Furthermore, the user must ignore the other official ISO documents containing different definitions for “risk”, along with the various industry definitions, some of which only recognize “negative” risks (e.g., ISO 13485:2016).

While many organizations continue to use the term “preventive action” to address “negative risks”/threats (e.g., because it was embedded into their corrective action forms, databases, etc.), it fails to address “opportunities” (i.e., positive risks).

Even though use of “preventive action” is still permitted to address “negative risks”/threats, many ISO 9001 and AS9100:2016 registrars are encouraging their clients to eliminate use of the term “preventive action” and adopt the term “risks and opportunities” to ensure that both “threats” and “opportunities” are addressed within their QMS.

However, this presents challenges because other industry standards, such as ISO 13485:2016, “Medical Devices — Quality management systems — Requirements for regulatory purposes”, ISO 17020:2012, “Conformity Assessment — Requirements for the operation of various types of bodies performing inspection” (Option A) and AAR M-1003:2019, Section J, “Specification for Quality Assurance” all specifically require “preventive action” to be included in the QMS.

The only “record” regarding “risks and opportunities” is specified in ISO 9001:2015, sec. 9.3, “Management Review”. This includes:

9.3.2 Management review inputs
The management review shall be planned and carried out taking into consideration:
e. the effectiveness of actions taken to address risks and opportunities (see 6.1);
f. opportunities for improvement.

Here again we see where ISO 9001:2015 is consistent with ISO 9000:2015, “Note 5” in considering “risks” as only “threats” by addressing “opportunities” separately (in 9.3.2e). And then specifically requiring the organization to consider ”opportunities for improvement“ (in 9.3.2f), as if they were somehow excluded from the opportunities identified in 9.3.2e!

Due to the ambiguous/vague nature of the requirement, the “Management Review Meeting Minutes” could include a statement as simple as: ”All of the actions taken to address risks and opportunities were determined by management to be effective.“

<note tip> Many ISO 9001:2015 consultants recommend the creation of a SWOT Analysis. While limited in their usefulness, a SWOT Analysis can provide:

• some great talking points relating to ”external and internal issues“ (ISO 9001:2015, sec. 4.1),
• useful information to help to ”determine the risks and opportunities that need to be addressed“ (ISO 9001:2015, sec. 6.1.1),
• evidence that management has “considered” 9.3.2b, ”changes in external and internal issues that are relevant to the quality management system“ (when incorporated into the management review meeting minutes).
  

</note>

Further, ISO 9001:2015, sec. 9.3.3 “Management Review Outputs” states (with an additional requirement added to AS 9100:2016, shown in BOLD below):

9.3.3 Management Review Outputs
The outputs of the management review shall include decisions and actions related to:
a. opportunities for improvement;
b. any need for changes to the quality management system;
c. resource needs;
d. risks identified.

The organization shall retain documented information as evidence of the results of management reviews.

It is critical to note that sec. 9.3.3 is not simply a management review agenda topic. This section specifically requires the inclusion of any ”decisions and actions“ taken (or initiated) by management. However, it is interesting to note that the ”decisions and actions related to opportunities for improvement“ is limited in ONLY addressing opportunities related to “improvement”, specifically excluding ”decisions and actions related to“ other opportunities”.

AS 9100:2016 expanded the requirement through adding 9.3.3d, which requires organizations to also address “decisions and actions related to risks identified”. Without knowing whether the authors of AS 9100:2016 subscribe to ISO 9000:2015 “Note 1” or “Note 5”, we cannot definitively interpret 9.3.3d as including “…decisions and actions related to” ALL of the “opportunities and threats” identified (as per “Note 1”); or as the “…decisions and actions related to” ONLY the “threats” identified (as per “Note 5”).

An organization can certainly continue to use “preventive actions” as a methodology within its QMS for addressing “negative risks“/threats PROVIDED that the organization also has a separate methodology of addressing “positive risks”/opportunities.

Supporting this, there is nothing stated in either the “ISO/TC 176/SC 2 Listing of Approved Interpretations against ISO 9001:2015” or “US TC 176 - TG22 - Interpretations” forbidding or restricting use of the “preventive action” methodology. And ISO 9000:2015 continues to recognize “preventive action” as a legitimate methodology (Ref. ISO 9000:2015, sec. 3.12.1).