The July issue of ASQ’s Quality Progress was one of the best issues I’ve read in a long time, with a much-appreciated emphasis on risk management and including a terrific article from Jayet Moon that served as an introduction to the new Quality Press book Foundations of Quality Risk Management, which is definitely now on my reading list. It should be noted that an excerpt for this book was also included for members, so the first 12 or so chapters can be checked out via PDF download prior to committing to the $45 cover price.
While I don’t typically spend a lot of time commenting on articles in Quality Progress – again, the particular issue was a standout issue in a year that has offered very little intrigue – there was also another gem that caught my eye and compelled me to write about: A Risky Mistake, with the subtitle reading: What went wrong with the risk-based thinking approach in ISO 9001:2015 which, over its 3 short pages, perfectly captures some of the frustration that many of us have felt since the publication of the latest revision of the world’s most widely used quality management system standard. The criticisms, though, are very much unlike the typical vitriol from your would-be late-night pundits and naysayers, rather, these criticisms of the standard are coming directly from the members of TC 176 with the article being authored by Charles A. Cianfrani, Isaac Sheps, and John E. “Jack” West.
While it seems like old news now, after seven years, we’re still talking about the way risk was defined in the latest revision of the standard and how ill-conceived the notion of risk-based thinking was, marking a nightmare for organizations and auditors alike for the better part of the last decade. While the authors preface the article with a statement doubling down on the need for risk-based thinking in any QMS to maintain competitive advantage and continual improvement, they acknowledge the flawed implementation of the concept and cite the following three things that went wrong that lead to the current state of the concept in the standard:
- Definition of risk
- Pairing risk with opportunities
- Auditability
Of the first, the authors admit that the use of the High Level Structure (HLS), now known as the harmonized approach (HA), didn’t meet its intended goal of creating a common definition and concept of risk to be employed throughout all management system standards (MSSs) using the approach, noting differences in the language of ISO 31000, ISO’s premier standard on risk management, and ISO 9000:2015, which set all of the vocabularies to be used throughout the set of quality management system standards in the ISO 9000 series. The article doesn’t describe why this discrepancy existed in the first place – a topic that it seems would be worthwhile exploring – but does note the following two points: 1) the discrepancy is certainly an error and the language from ISO 31000 should be used, and 2) even with point 1 being true, the error carried over into the 2021 revision of the HA, which kept the language from ISO 9000.
Without recreating the table from the article that highlights the differences in the language between the standards, I’ll highlight the most important bits. First, the HLS and the 2021 revision of the HA defines risk as the ‘effect of uncertainty,’ which was carried into ISO 9000:2015, and, by default, into ISO 9001:2015. ISO 31000:2018, however, defines risk as the ‘effect of uncertainty on objectives.’ The qualifications of risk being linked to objectives is compounded with Note 1 which in the HA and ISO 9000 states ‘an effect is a deviation from the expected-positive or negative,’ while the language of Note 1 in ISO 31000 reads, ‘an effect is a deviation from the expected. It can be positive, negative or both and can address, create or result in opportunities and threats.’
While the differences in language are clear, what is a bit perplexing in the article is that the authors on one hand suggest that the language of ISO 31000 should have been adopted for uniformity in the understanding of the concept of risk amongst MSSs, but they do go on to argue that there are issues with the definitions in ISO 31000 as well, namely that a) the effect of risk is not on the objective but on the ability to achieve an objective – which is a fair statement – and, b) they assert that the notion that risk can be positive is wrong. This would, of course, necessarily be true when considering the suggestion in point that risk affects an organization’s ability to achieve an objective, which, one would assume, would always be negative, but perplexing nonetheless in that the suggestion deviates both from ISO 9000 and ISO 31000, as well as the long-defended notion that risk can be both positive and negative – not that I’m disagreeing with any of the conclusions that they are now publicly sharing.
This last point drives right into the next: that it was a mistake to pair risk with opportunities. The argument here was that the pairing would indicate that a risk correlated with negative effects while opportunities correlates with positive effects. With the previous conversation highlighting that the effects of risk are always negative, the notion that risk should be divorced from opportunities in future iterations of the standard seems like a pretty obvious progression as well. The authors point out that there was a mistaken effect of this pairing in that, in their estimation, management used these words as justification for taking risks that they ought not to take hoping that they would expose themselves as opportunities. No risk, no reward, after all. The authors here argue that this was not the intent and are suggesting that future iterations keep the concepts separate, deleting all reference to opportunities from Clause 6.1 so that ‘actions to address risks and opportunities’ becomes simply ‘actions to address risks,’ focusing on addressing negative effects that will hinder an organization’s ability to reach objectives. I agree.
Finally, the authors address the difficulties in auditing the requirements to address risks and opportunities as part of planning, which has been a bane for organizations and auditors alike since the standards publications, although the authors only speak of the difficulties of auditing how an organization addresses opportunities as part of planning and ignores the challenges of auditing other aspects of the obscure notion of risk-based thinking. Still, the author’s arguments here are valid and appreciated. Of note, they cite 6.1.2, which reads, “opportunities can lead to the adoption of new practices, launching new products, opening new markets, addressing new customers, building partnerships, using new technology and other desirable and viable possibilities to address the organization’s [needs] or its customer’s needs,’ then intently asking: Can an auditor decide whether an organization should launch a new product or address new customers? They state plainly that “The ISO 9001:2015 requirement to address opportunities as part of planning isn’t auditable,’ and conclude, “Such requirements are open to interpretation and aren’t recommended in the auditing world.” (Cianfrani et al., 2022)
This article serves as a stark reminder that the members of TC 176 are not evil corporate “yes men” who are intentionally obfuscating language in the published quality standard in order to sell their consulting services or prop up a failing ASQ or ISO, but that they are humans who sometimes make mistakes, and, upon reflecting on feedback from users, committee members, and the international community, are able to take decisive action to course correct. The admissions of the article were ones of humility and a genuine desire to publish a product that standardizes terms used to articulate generally accepted concepts for wide usage across standards and industries.
I have myself been both critical of TC 176 and their unauditable language included in ISO 9001 regarding risk and opportunities, as well as their plans for an upcoming revision to ISO 9001 despite international confirmation of the standard as-is, but at some point, I have to acknowledge that I can’t have it both ways. I can’t criticize TC 176 for the language that they included in the 2015 revision and then criticize them for wanting to update the standard to rectify their mistakes. For the sake of continual improvement of this standard, I have come to be of the mind that we ought to ignore the usual barrage of criticism offered by the ‘Alex Jones’’ of our profession who offer absolutely nothing to its progress and acknowledge that revision, at some point in the not-so-distant future, just may be necessary – or at least preferable.
References
Cianfrani, C. A., Sheps, I., & West, J. “. E. (2022, July). What Went Wrong With the Risk-Based Thinking Approach in ISO 9001:2015? Quality Progress, 55(5), 50-52. https://asq.org/quality-progress/articles/standard-issues-a-risky-mistake?id=15882a90ce2e4c5e87d1ba9d27822628
[…] You can see how this mirrors recent comments by TC 176 in an article that they published in ASQ’s Quality Progress in July regarding the definition of risk as adopted for ISO 9001, after spending years defending the definition, finally admitting that the definition used in Guide 73, ISO 31000, and, by default, ISO 9000 was not sufficient – see an excerpt on our coverage of the subject below from the article TC 176 Plans to Correct Mistakes With the Introduction of “Risk-Based Thinking” in ISO 9001:2015. […]
[…] You can see how this mirrors recent comments by TC 176 in an article that they published in ASQ’s Quality Progress in July regarding the definition of risk as adopted for ISO 9001, after spending years defending the definition, finally admitting that the definition used in Guide 73, ISO 31000, and, by default, ISO 9000 was not sufficient – see an excerpt on our coverage of the subject below from the article TC 176 Plans to Correct Mistakes With the Introduction of “Risk-Based Thinking” in ISO 9001:2015. […]