Cultivating Risk Based Thinking

to conform with new

Management System Standards

Jim Whiting, Dr Leonie Horrigan, Ken Horrigan

Soteris Pty Ltd

www.soteris.com.au jim@soteris.com.au Ph. 0419 474 995

1
Integrated Risk Management System across all 7 Risk Domains
- based on common principles and processes of ISO 31000

Our Business
Our people

2
RBT in Objective Decision Making

3
 Why Risk Based Thinking RBT?
 Decision-Making
requires at least informal qualitative RBT

 Planning involves decision-making

 Quality processes involve BOTH

decision-making & planning

 Therefore, Quality processes involve RBT

4
Uncertainty & Confidence
Prediction / Forecasting
FAN Chart Example - Bank of England forecast from 09/10

5
Uncertainty & Confidence
Prediction / Forecasting
FAN Chart Example - Bank of England forecast from 09/10

6
 Audience Participation a
Imagine that you are the Quality Manager of a
company that produces very expensive cars.
Imagine you have discovered that there is a very
serious, complex quality problem in the
production line so that there is a risk that
600 very expensive cars will have to be
rejected / destroyed if nothing is done about
the problem.
Alternative risk control programs to combat
the quality problem have been proposed to you.
Assume that the exact scientific estimates of the
consequences of the options are as follows:- 7
 Audience Participation b

If program A [ a sure thing ] is adopted,

a certain 100% probability that 200 cars will
definitely be saved.
If program B [ a gamble ] is adopted,
a 33% probability all 600 cars will be saved
and
a 67% probability that no cars will be saved.

Which risk control option should you choose ?

Program A [ a sure thing ] ?
or Program B [ a gamble ] ?

8
 New Different Company !
BUT same Problem
If program X [ a sure thing ] is adopted,
a certain 100% probability that 400 cars will
definitely be rejected & destroyed.
If program Y [ a gamble ] is adopted,
a 33% probability that none of the 600 cars will
be rejected & destroyed
and
a 67% probability that all of the 600 cars will
be rejected & destroyed
Which risk control option should you choose ?
Program X [ a sure thing ]
or Program Y [ a gamble ]
9
 Takeout from that exercise ?

If we express certainty / uncertainty

in terms of positive outcomes
we prefer a sure thing over a gamble

BUT if we express certainty / uncertainty

in terms of harmful negative outcomes,
we sometimes prefer a reasonable gamble
on a lowest harm option.

We are not always against

“taking a calculated risk”
if we perceive a lower loss is probable.
10
 What is RISK & RBT ?

 In ISO 31000:2009—
“Risk Management—Principles and Guidelines
on Implementation,”

 risk is defined as the

“effect of uncertainty on objectives,”
 risk management as something that
“aids decision making by taking account
of uncertainty and its effect on achieving
objectives and assessing the need for any
actions to do so.”
11
 Uncertainty
“unknown unknowns”

“possible” “probable”
“Black Swans = No prior experience”

12
 Risk Language
Extract from APPENDIX to Paper
Better Terminology for Risk Based Conversations
• 3 pages of recommended risk terminology
•Give me your business card and I will send you a copy

13
 Uncertainty & Variance

RBT or Risk Management (RM) processes are

always implied & needed whenever the words
‘suitable’ or ‘appropriate’
are used as qualifiers of requirements for
management decisions, planning & actions.

Judging suitability or appropriateness needs to be

objective & the uncertainties involved should be
diligently resolved, understood & managed
SOFARP – So Far As is Reasonably Practicable
[ practical business principle as well as a
“legal” obligation as in OHSMS and EMS ]
14
 What is RBT Risk Based Thinking ?
[ or QRM quality risk management ? ]

Is RBT :- decreasing chances of loss ?

Or increasing chances of gain ?

Or lowering certainty of a negative consequence ?

Or raising certainty of a positive consequence ?

Or
reducing uncertainty regardless of consequences?

Is RBT :- improving confidence and certainty

in a world of uncertainty ?
15
 What is quality RBT ?
or quality risk management ?
To take an assessed risk in any business process:
 Is normal

 Does involves speculation

 Designed for positive outcomes

always for the chance of gain/benefit/opportunity

 corporately and / or

 personally

while also recognising that there is usually a

concurrent chance of loss / harm / damage
BUT the focus is always on gain NOT loss

16
 Risk Communication
& Risk Based Language
Lack of Clarity, Confusion and Argument
during Discussions and Decision-Making
is mostly due to Inconsistent Use of Language

 Belief 1:
50% of the communication problems
in the world result from people
- using the same words with different meanings.

 Belief 2:
the other 50% comes from people
- using different words with the same meaning.
17
 Examples of Different
Connotations of Quality Risks
Different Risk
Connotations Quality Risks
It is too risky to distribute that batch of under-spec
Danger product and then incur a recall cost as well as
damage to our brand.

It would be highly likely that there would be an

Probability increased defect rate if we reduced the wall thickness of
the casting mould.

We cannot be sure how risky it would be to assign

Uncertainty those sales staff who have had their training but their
competencies have not yet been fully assessed.

With that machine adjustment, it is a risk to keep the

Variability width variations uniformly within a Six Sigma standard.

We will never make a risky design / planning decision

Dread that could cause the client group to rate us as the
‘worst in the market’. 18
 Examples of Different
Connotations of Safety Risks
Different Risk
Connotations Safety Risks
I would not consider hang-gliding as the risk of
Danger being seriously hurt is far too much for me.

It is a high likelihood risk that the crane would

Probability topple if its outrigger stabilisers are deployed on
soft ground.
You can never be sure what risky additives are
Uncertainty used in that food, how much is added, and how
serious are their health effects.
Investing in small companies is risky, as their
Variability share prices fluctuate too much and too often.

I would be extremely fearful of living near a

Dread nuclear power station, the risk is way, way
beyond ever being tolerable. 19
 Risk Communication
– Perceptions and Language
 Risk communication is the
two-way exchange of information about
threats and opportunities.
 [New Risk Based Quality RBQ - Risk Talk APP]

 The goal of risk communication is to

enhance knowledge and understanding, build
trust and credibility, encourage dialogue, and
influence attitudes, decisions, and
behaviours.
 There are 7 cardinal rules for effective risk
communication [ See paper ]
20
 Risk Communication
– Perceptions and Language
3 important features of risk communication
Emotional factors influence first
impressions in communicating with others
even without the need for verbal
statements
 Non-verbal communication factors

 Individuals in a group do not always start

with a common view? of the nature and
tolerability of any specific risk.

21
 RBT Requirements in ISO 9001:2015
[ Indicative Record ONLY -refer to paper & training for detailed coverage ]
Introduction The concept of risk-based thinking is generally explained.
4.4 Quality The organisation is required to determine the processes of its Quality Management System
Management (QMS) and to address both its risks and opportunities.
Top management is required to promote awareness of, and competence in risk-based
5.1.1 Org. thinking. Also to provide strong leadership in determining and addressing risks and
Leadership opportunities that can affect product and service conformity.
5.1.2 Serving Risks and opportunities must become the core of serving an organisation's customer
Customers base, including not only maintaining quality, but to improve customer perceptions as well.
The organisation is required to identify risks and opportunities related to QMS
6.1.2 performance. Determining appropriate actions to address them needs to be the central
Risk-Driven planning focus. ISO 31000:2009 explains that these actions must be combinations of risk
Planning treatment options for the organisation's advantage, including risk avoidance, managed /
tolerable risk-taking, & sharing risk with interested parties / customers / stakeholders.
The organisation is required to determine and provide necessary resources for
managing risks and opportunities. Risk Management (RM) processes are always
7 Support
implied whenever ‘suitable’ or ‘appropriate’ are mentioned as qualifiers of
requirements for management decisions, planning and actions.
The organisation is required to manage all its operational processes to minimise risks
8 Operation and optimise opportunities. Risk is always implied when judgmental terms ‘suitable’ or
‘appropriate’ are mentioned as qualifiers to management decisions.
The organisation is required to monitor, measure, analyse and evaluate effectiveness
9.1.3 Measuring
of chosen risk treatment options taken to address the risks and opportunities in achieving
Performance
its QMS objectives.
10 The organisation is required to correct, prevent (... manage the risk of…) or reduce
including10.2 undesired effects through an improved QMS which manages its risks and opportunities.
Continual improvement requires iterative ongoing risk management processes involving
Nonconformity
review, recording, monitoring, re-assessing, and treating. If non-conformances are
& Corrective
established, they must be factored back into the planned risk management approach to
Action determine a new risk profile for appropriate management. 22
 Basic 8 STEP Version of the RBT Process
1. What is Context & Scope of the process/issue /activity?

2. What Consequence C is of interest or concern?

3. How could it occur? Detail the Scenario?

4. Estimate the Likelihood L of that How scenario

& then estimate Risk level [ R= L * C ]

5. Evaluate Risk level against tolerability criteria

6. Treat [ avoid / share / control ] SOFARP

7. Record

8. Monitor/Review

23
ISO 31000: 2009 Risk Assessment
ANSI Z690-2:2011 Establish Context & Scope
of the Risk exposures

Identify
Describe the Risk exposures in detail
Communicate
& Consult

Monitor &
Record

Review
Analyse
Estimate/Calculate size R=L*C

Evaluate
Is Risk tolerable ? YES
Is risk reduced
SOFARP ?
No further Actions
required ?
NO

Treat Artwork © 2009 risk@workplaces pty ltd

Control / Avoid / Share 24
 Putting the “R” in QRM

 QM can often be a reactive approach to compliance with

standards by controlling variances AFTER they have occurred
–
- focus can be on “correction” of defects / non-conformities
- rather than “minimising risk” of defects / non-conformities

 QRM is essentially a proactive approach to managing the

sources or causes of issues BEFORE they affect outcomes

 Corrective Action is reactive

 Risk Treatment / Control is proactive
 Risk Treatment is Corrective Action BEFORE you need to

25
 Putting the “R” in QRM

Risks Opportunities
Objectives
Double Negative Focus Double Positive Focus
zero defects achieve full conformity
{ this process & the next } reduce risk of { this process & the next }
OR defects OR
Six Sigma achieve Six Sigma
customer reduce risk of guarantee
satisfaction customer dissatisfaction customer satisfaction
control of reduce risk of gain
process variance uncontrolled process control of process
variance variance
reduce risk of assure
reliability
unreliability reliability
reduce risk of ensure
security
breach of security security
reduce risk of warrant
fit for purpose
lack of fitness for purpose fit for purpose
26
 Transition from Preventive Action to
Quality RM or RBT

To emphasise proactivity in managing Quality

as with other business imperatives,
Preventive Action is replaced by RBT

ISO 9001:2008 ISO 9001:2015

-- 4.1 Understanding the organisation & context
8.5.3 Preventive Action 6.1 Actions to address risks & opportunities
5.4.2 QMS planning 6.3 Planning of changes

27
 Is RBT the same as
Preventative Action ?
Appear to be the same or similar proactive
approaches, an important difference is that :-
Preventive Action
usually refers to preventing future problems,
whereas RBT is about both :-
maximising opportunities for positive outcomes &
minimising risks of negative consequences
of all business activities.
Quality Risk Management QRM or QRBT
is about maximising chances of gain by
exploitation of opportunities as well as minimising
chances of loss caused by intentional or
unintentional exposure to quality hazards or
quality risk factors. 28
 Preventive Action
& False Confidence
The term preventive action often gives
false confidence.
It implies the absolute view that a remedial action
can be devised that will permanently reduce risks to
absolute zero 0% or exploit opportunities to 100%
forever.
No risk control or mitigation measure can ever
prevent, stop, eliminate risk completely, forever!

RBT is not defeatist nor fatalist. Rather it recognises

the need to be perpetually concerned & wary,
knowing that every risk control measure is NOT
always in place and is NOT always perfect/effective.
If the price of freedom is eternal vigilance, then the
price of quality is eternal concern or chronic unease!29
 Another Advantage of RBT
Not only does RBT make risk communications
better by recognising the need to say
– reduce the risk of … rather than prevent….

Similarly, instead of terminology such as :-

Corrective Actions, Quality Measures,
Preventive Measures, Preventive Actions
Safeguards, Barriers, Layers of Protection,
Mitigating Factors,…………

use either the single terms Risk Treatment

or Risk Controls for ALL of them

30
 RBT & MOC
Management of Change
An important early stage of assessing quality risks
- risk identification - is to ask the questions :-

What quality risk factors could change?

What could be different?
What could become abnormal?
unusual?
extraordinary?

These questions must always include reference to

human actions or inactions
We are the most common source of
inconsistency and unreliability.
31
 RBT & MOC
Management of Change
Risk Based Thinking (RBT) is based on the core principle
that most if not all risk factors are related to change.

RBT places a strong emphasis on the need for vigilant

Management of Change (MOC)
(Clauses 6.3, 8.2.4, 8.3.6, 8.5.6, and 9.1).

The causal factors of actual quality incidents

and risk factors of probable quality risks
are nearly always 100% related to changes in the
customers’ requirements, the organisation’s needs, work
methods, designs, materials, equipment, people, work
environments etc.

Recognition of the never-ending need to improve MOC

is one of the strongest motivations for adoption of RBT.
32
 “Documented Information”
Maintain & Retain

No distinction between documents & records.

Both referred to as documented information.

Information must be controlled & maintained.

to maintain documented information,
refers to Procedures,

and
to retain documented information,
refers to Records.
33
 “Documented Information” & RBT

Is there a requirement to have Documented

Information for RBT processes themselves?
Simply, YES, and RBT processes provide a level
of seriousness of the risks involved which then can
determine degree of formality, depth & complexity
of documentation required. RBT Procedures
themselves need to be defined according to the
organisation’s context & risk tolerability criteria.
RBT as the structured proactive process of
managing risks and opportunities can actually
produce better, and even less procedures.
34
 “suitable” & “appropriate” & RBT

Now a reduced emphasis on documentation

e.g. Quality Manual & formal Procedures
Where suitable and appropriate is quoted in 9001,
still a requirement to produce, record, and maintain
necessary Documented Information to ensure
and demonstrate diligent achievement of business
objectives.
Documented Information still includes
records – in soft and/or hard formats - copies of
manuals, instructions, quality performance
assessments, quality risk assessments and
risk registers [ see example in Paper ] 35
How do we calculate risk ?
Qualitative Risk Analysis

Qualitative
[ traffic light
approach ]

36
 Quantitative Risk Analysis
[ Indicative Record ONLY -refer to training for detail ]

Semi-
Quantitative
Estimate the
composite
Likelihood of the
whole scenario

Full
Quantitative
QRA
Estimate and
compound the
Likelihood of each
and every risk
factor in the
scenario 37
 Quality Risk Consequence Severity Scale
The C in the expression R = L * C
{ scales to be decided by Board within scope, context, and policy }
[ Indicative Record ONLY -refer to training for detail ]

38
 Establish the Context
Risk of the risk exposures

Evaluation
Identify
Specify / Describe the
Risk exposures in detail

Record
Analyze Monitor
Estimate / Calculate the size of risk & Review
R =L*C -

Evaluate YES
the risk level
Is it tolerable?
SOFARP ?

NO
Treat
the Risk
( control / avoid / share ) 39
 Risk Treatment Options

Inherent
Decrease Severity Risk
Likelihood

Residual
Risk
[A]
Decrease both L and C Decrease Likelihood

Residual
Risk
[B] Residual
Risk
[C]

Consequence Severity
40
 Record / Monitor / Review
Example of a Risk / Opportunity Register
[ Indicative Record ONLY -refer to training for detail ]

41
 Risk Management Training
[ Indicative Record ONLY -refer to training for detail ]

42
Thanks for your Attention !
Any Questions ?
jim@soteris.com.au 43
 Psychology of RBT
[ Indicative Record ONLY -refer to training options for detail ]

 Behavioural Decision-Making

 Risk Perception

 Personality Factors in RBT

 Cognitive Biases and Heuristics

 Lessons from Neuroscience

44
 Cultivating a RBT Culture
[ Indicative Record ONLY -refer to training options for detail ]

 RBT or RBQ Culture Development

 Embedding RB Principles in all

business processes

 New Common Uniform Approach to

Objective Business Decision-Making

45
Spare Slides

46
 Variance
Six Sigma Quality Conformance
Defects /
Nonconformities

0.00034 %
3.4 in 1,000,000
3.4 chances in 1,000,000

Flawless / Correct /
Conforming
99.99966 %
999,997 in 1,000,000
999,997 chances in 1,000,000

47
 ERM System ? Integrated MSs ?
[ Indicative Record ONLY -refer to training options for detail ]

 Integrate as much or as little as you want / need

 RBT is the optimum integrating medium

 New Common Uniform Approach to Objective

Business Decision-Making

 Applying RBT Principles across all Risk Domains

/ Categories

 Can still maintain Uniqueness of different Risk

Domains / Categories while embedding Common,
Consistent Principles & Processes in each

 Still have Empires [ & Emperors ] without Silos

48
 Uncertainty & Variance
All aspects of any MS have inherent uncertainties
in the system’s ability to manage the activities of
an organisation to achieve its objectives.
Managing those uncertainties is called RBT or
Risk Management -best described in ISO 31000

In ISO 31000, risk is defined as :-

“the effect of uncertainty on objectives”
An effect is a +/- deviation from what is expected
or planned.
Uncertainty is a state, even partial, of
incomplete, inadequate information, knowledge
and understanding of the nature and likelihood of
each event and circumstance in a scenario. 49
 Basic 10 STEP Version of the RBT Process

1.What is Context & Scope of the issue / activity?

2.Communicate & Consult with Interested Parties
3.What +/- consequences or impacts are possible?
4.Choose 1 of the consequences/impacts at a time
5.Identify How could it occur? Detail the Scenario?
6.Analyse / Estimate the L likelihood of that How
scenario & then estimate Risk level R= L * C
7.Evaluate R level with tolerability / action criteria
8.Treat [ avoid / share / control ] SOFARP
9.Record Documented information
10.Monitor/Review [MOC]–continual improvement
50
ISO 31000 Fig 1 Relationship between RM Principles/Framework/Process

a) Creates value 4.2 Mandate &

b) Integral Part of Commitment
organisational
Processes
c) Part of Decision
making
d) Explicitly addresses 5.2 Communication &
4.3 Design of Consultation
uncertainty
RM framework 5.3 Establishing the
e) Systematic
context
structured & timely
f) Based on the best 5.4 Risk Assessment
available information - Risk Identification
g) Tailored 4.6 Continual 4.4 Implementing - Risk Analysis
h) Human & cultural Improvement of RM Framework - Risk Evaluation
factors into account Framework 5.5 Risk Treatment
i) Transparent and - Selection of
inclusive. Treatment Options
i) Dynamic iterative & - Preparing /
4.5 Monitoring & Implementing Plans
responsive to change
Review of 5.6 Monitoring &
k) Facilitates continual
Framework Review
improvement and 5.7 Recording the RM
enhancement Process

Principles Framework Process

( Clause 3 ) ( Clause 4 ) ( Clause515
Artwork © )
2010
 Risk Communication & Uncertainty

 Many of the obstacles to effective communication

derive from complexity, incompleteness, and
uncertainty of information & data.
 Guidelines to address uncertainty ;
• Acknowledge – do not hide – uncertainty.
• Explain that risks are often hard to assess and estimate.
• Explain how the risk estimates were obtained & by whom.
• Share risk information and its limits of certainty promptly.
• Tell people that what you believe is.
(a) certain, or nearly certain
(b) not known or may never be known;
(c) likely or unlikely or highly improbable; and
(d) can be done to reduce uncertainty.
• Admit that what you believe may later turn out to be wrong.
52
 “Documented Information” & RBT

For internal and external purposes, there is still

the fundamental imperative of having formal
risk based evidence of conformance.
For particular quality risks and opportunities,
QM practitioners still need to document whatever
procedures have been processed as suitable &
appropriate parts of risk treatments / controls.
Risk control procedures - however minimal
need to be developed with risk based thinking &
principles. They need to cover the ‘why’ as well
as the ‘how’ - the activity is to be performed.
53
 Risk Treatment Options
Hierarchy of Risk controls
[ Indicative Record ONLY -refer to training for detail ]

54
 Concluding Points

Black Swan Principles

 Beyond any past personal experiences ?
 Believed to be impossible ? Improbable ?
 Low [ or Zero ? ] Likelihood ?
 Risks that are low Likelihood [ L ]
but high Consequence [ C ]
55
 Uncertainty & Variance
Uncertainty in decision-making is a core management
issue which can never be ignored nor discounted.
Always be conscious of the uncertainty in our knowledge
of the risk factors of all business risks and opportunities.
Risk Management or RBT is our way of managing
uncertainty.
Certainty and uncertainty in knowledge & understanding
can be expressed in terms of three categories:
known knowns, known unknowns, and
unknown unknowns.

Change means unknown unknowns can always exist.

Past historical information & data cannot guarantee

certainty in predicting and foreseeing future probabilities.
56
Wise
57
58
59
 Risk Evaluation
Tolerability & Action Criteria
[ Indicative Record ONLY -refer to training for detail ]

60
 Audience Participation 1
Make a prediction as to where the graph is headed
by attaching a % Probability to each possibility.

Up 37
Same 46
Down 8
Can’t Say 9
Time
Just to remind you, the probabilities have to add up to 100.
We have removed the rates and time from the axes of the graphs as they are irrelevant in this game

61
 “Downside” & “Upside”
Risk & Opportunity
[ Indicative Record ONLY -refer to training for detail ]

Negative & Positive consequences or outcomes

62
 Uncertainty & Variance
[ Indicative Record ONLY -refer to paper for detailed coverage ]

i. Re aspects of a QMS, there are things that we know that we

know them i.e. known knowns. These are the things that we
are confident we are reasonably certain that we are aware
of, and understand them well. comfortable but dangerous

ii. However, there are also known unknowns. That is to say

there are things that we do recognise we don't know or don’t
fully understand all of their characteristics. These situations
represent one important area of uncomfortable uncertainty
requiring a risk management approach.

iii. But there are also unknown unknowns or Black Swans*, or

Black Ice. There are things we don’t even know that we don't
know them as well as not knowing exactly what they are. As
with (ii) above, these represent another challenge of
uncomfortable uncertainty that can only be managed in a
risk management context. 63
 Sample 3 Level Severity Scale
For Quality Consequences
[ Indicative Record ONLY -refer to paper for detailed coverage ]
C

Label
Severity Verbal Description of Non-Conformance
Level
• Any nonconformity which involves health & safety risks to anyone
using, maintaining, depending upon, affected by, interacting with, the
Critical

3 product or service.
• Ditto – significant risks eg, Financial / Environment / PR.
• Any nonconformity involving a risk to a vital operational activity.
• Any regulatory non-conformity.
• Any unplanned extra work, retrofitting, rework, repeat service calls,
repairs
• Any non-conforming goods or materials from suppliers.
Major

• Any instances of non-conforming finished product/service.

2
• Any cost overruns and non-budgeted expense.
• Any multiple or repetitive minor non-conformities.
• Any interruptions to a customer’s schedule.
• Any major delays to the organisation’s operations.
• Any interruptions to the organisation’s delivery schedule.
The issue involves :-
• little risk of affecting the customer’s requirements.
Minor

1 • no significant risk of waste, rework.

• a low frequency / likelihood of occurrence.
• minor different risk controls that are easy and low cost. 64
 Qualitative Risk Analysis Tools
[ Indicative Record ONLY -refer to paper for detailed coverage ]

65
 Sample Consequence C Selection Guidance
[ Indicative Record ONLY -refer to paper & training for detailed coverage]

66
 Sample Likelihood L Estimation Guidance
[ Indicative Record ONLY -refer to paper & training for detailed coverage]

67
 Factors influencing personal Risk perceptions
[ Indicative Record ONLY -refer to paper & training for detailed coverage]

68