Risk-based thinking (RBT) is now an even more prominent part of every ISO Management System, and thus those based upon ISO requirements, like AS9100, AS9110, and AS9120. Risk-based thinking is employed in many of the requirements of AS9100 Rev D, including many major clause references. But risk-related directives are also noted in these clauses:
Clause 4: Context of the Organization
Clause 5: Leadership
Clause 8: Operation
Clause 9: Performance Evaluation
Clause 10: Improvement
Annex A.4: Risk-based Thinking
RBT is essential for a successful quality management system. RBT involves consideration of potential effects, which may result in outcomes that deviate from what is expected. By adopting RBT you will be able to plan ahead and take actions to prevent undesired events, such as a nonconformity, from occurring.
Actions to Address Risks and Opportunities
A risk can be positive or negative. Addressing a risk could mean pursuing an opportunity. Examples of opportunities include pursuing a new customer, product or technology.
Risks and opportunities are present in every process. Using RBT, organizations can plan for these potential risks or opportunities and take actions before they occur to control or prevent their effects. When planning for your quality management system, you are required to determine what your risks and opportunities are, plan the actions to take for addressing these risks and opportunities, and evaluate the effectiveness of the actions taken.
Operational Risk Management
Operational risks are those that may negatively impact a process, product, service, customer or end user. In order to meet the requirements around operational risks, you must have a process for how these will be managed. That process must be documented in a risk management procedure and needs to include,
- Assignment of responsibilities,
- Criteria for accessing risk,
- Management of actions to address risk,
- Acceptance of remaining risk after actions have been taken,
- Identification, assessment and communication of risk.
Risk is generally expressed in terms of likelihood and severity within the aviation, space and defense industries. A risk matrix accesses the degree of a risk based on these two factors. Accessing risk using this criterion will help you to determine which risks should be addressed.
ARP 9134 Risk Guidance Standard provides guidelines for supply chain risk management and can be a helpful tool for an organization needing to establish a risk management process.