Risk-based thinking (RBT) is now an even more prominent part of every ISO Management System, and thus those based upon ISO requirements, like AS9100. Risk-based thinking is employed in many of the requirements of AS9100 Rev D, including many major clause references. But risk-related directives are also noted in these clauses:
Clause 4: Context of the Organization
Clause 5: Leadership
Clause 8: Operation
Clause 9: Performance Evaluation
Clause 10: Improvement
Annex A.4: Risk-based Thinking
Risk-based thinking (RBT) is essential for a successful quality management system. The new concept for RBT is to get organizations to think about what risks they face. RBT wants the organization to identify the risk, decide if you will take action, and then take action. But unlike risk management. it does not ask you to track the risk as the project progresses to determine if the actions taken have been effective. RBT involves consideration of potential effects, which may result in outcomes that deviate from what is expected. By adopting RBT you will be able to plan ahead and take actions to prevent undesired events, such as a nonconformity, from occurring.
In contrast, risk management does in fact require you to track your actions and take action if your actions are not effective, or accept any risk that was not corrected. Risk management requires you not only think about risk at certin stages of products and services, but also have a process to track risks until they are addresses.
Tools to help Manage Risk
Actions to Address Risks and Opportunities
A risk can be positive or negative. Addressing a risk could mean pursuing an opportunity. Examples of opportunities include pursuing a new customer, product or technology.
Risks and opportunities are present in every process. Using RBT, organizations can plan for these potential risks or opportunities and take actions before they occur to control or prevent their effects. When planning for your quality management system, you are required to determine what your risks and opportunities are, plan the actions to take for addressing these risks and opportunities, and evaluate the effectiveness of the actions taken.
Operational Risk Management
Operational risks are those that may negatively impact a process, product, service, customer or end user. In order to meet the requirements around operational risks, you must have a process for how these will be managed. That process must be documented in a risk management procedure and needs to include,
- Assignment of responsibilities,
- Criteria for assessing risk,
- Management of actions to address risk,
- Acceptance of remaining risk after actions have been taken,
- Identification, assessment and communication of risk.
Risk is generally expressed in terms of likelihood and severity within the aviation, space and defense industries. A risk matrix accesses the degree of a risk based on these two factors. Assessing risk using this criterion will help you to determine which risks should be addressed.
ARP 9134 Risk Guidance Standard provides guidelines for supply chain risk management and can be a helpful tool for an organization needing to establish a risk management process.