Recalibrating Quality: The Role of Risk-Based Thinking

Risk-based thinking has emerged as a cornerstone of modern quality management and is simultaneously used in conformity assessment and market surveillance.

This article aims to deepen our understanding of the connection between risk, quality, and safety. It explainsits significance for quality management, conformity assessment, market surveillance, and the overarching quality infrastructure. In doing so, we address how risk thinking has developed and will continue to develop in the world of quality.

The Interplay of Quality and Risk

The relationship between quality and risk is crucial: higher quality often means lower risk, whereas poor quality typically raises the likelihood of adverse outcomes.

For example, consider two cars: one well-maintained with advanced safety features and another with minimal maintenance and basic safety measures. The well-maintained car is less likely to break down or get involved in accidents, ensuring more reliable performance and safety. Conversely, the lower-quality car is at greater risk of mechanical failures, safety hazards, and operational issues.

In manufacturing, proactive quality control measures, such as routine equipment maintenance and employee training, help minimise product defects and associated risks. Similarly, in the service sector, quality assurance mechanisms like customer feedback systems can identify potential service issues before they escalate.

A focus on continuous improvement benefits both quality and risk management. Risk assessments help pinpoint opportunities for enhancement.

Product risk and market opportunities

The diagram summarises a broader understanding of product-related risk thinking:

The first aim of risk management is to identify and minimise risks to the safety and health of employees and consumers. The state has a protective mandate that considers this through regulations and market surveillance. In principle, state agencies focus on controlling and mitigating serious risks.

Due to limited public resources, the state frequently delegates product control to the companies that manufacture or place products on the market. In the European Union, economic operators indicate that a product complies with all technical regulations by affixing the CE mark. However, risk management also extends to quality assurance. Here, the main concern is that the supplier fulfils the contractually agreed product properties. The company is legally protected from liability if it relies on standards and accredited conformity assessment services.

Another area of risk management relates to the so-called positive risks. Behind many threats, in turn, lie business opportunities. However, a different mindset is needed to take advantage of these. While traditional risk management requires risk-averse thinking, opportunity management requires a more risk-taking attitude. To do this, involving a different type of person may be helpful.

Three types of risk management

Risk-based thinking can be applied at all levels of quality management:

• At the product and service level, it involves anticipating potential events that could cause these products and services to fail in meeting the safety and quality standards outlined in product regulations and other claims.

• Control systems support product safety and quality at the process level. Hazard analysis is carried out in food safety at critical control points (HACCP systems). In manufacturing construction materials, factory production control (FPC) ensures that the products placed on the market have consistent performance characteristics.

• Finally, risk thinking is also relevant at the organisational level. Here, the aim is to anticipate possible risks of penalties and reputation. Ultimately, it is about the company’s competitiveness and long-term survival.

Risk management cycle

Risk management follows a process logic that is usually presented in a cycle:

• The first step is to identify possible risks. These can be events within the company or from outside. In principle, internal risks are usually easier to control and influence, while external risks require companies to adapt as best as possible.

• In the second step, the identified risks are assessed regarding their probability of occurrence and possible effects. Possible events can be arranged in an impact and likelihood matrix. This, of course, assumes that a probability/impact assessment is possible. However, certain risks are often difficult to assess and qualify. So-called wild risks or “black swan events” often elude this approach.

• Once the risks have been identified and assessed, the next step is to treat them. In the case of negative risks, measures must be taken to mitigate them, if necessary. Conversely, utilising identified opportunities is a matter of taking a more iterative, risk-taking approach. Both approaches can be combined in integrated risk and opportunity management.

• Ultimately, the aim is to monitor and report risks continuously to management. Successful risk management is a continuous process.

In this way, risk management follows the same circular understanding as the continuous improvement process in quality management.

Risk Management in Quality Standards

Risk is defined in ISO 9001:2015 as the “effect of uncertainty on an expected result.”

The 2015 revision of ISO 9001 made risk-based thinking more prominent by replacing the previous “preventive action” approach with a broader view of risk that includes both negative threats and positive opportunities.

ISO 9001:2015 requires organisations to address risks and opportunities systematically, allowing for diverse strategies such as risk avoidance, reduction, and acceptance based on informed decision-making. However, the standard does not prescribe specific risk management methods, encouraging companies to integrate risk management practices into their overall quality initiatives.

ISO 31000:2018 provides specific guidance for risk management. The standard is based on the described model of the risk management cycle and lists different techniques for the various phases. It also emphasises the importance of risk communication and consultation.

ISO 31000 applies to various types of management systems such as ISO 9001 (quality), ISO/IEC 27001 (information security) and ISO 20000 (IT service management). Although ISO 31000 is not certifiable, it provides valuable tools for improving risk-based thinking in various fields.

A new version of ISO 31000 is currently under development.

The Limits of Risk-based Thinking

Traditional risk management is most effective when risks are clearly defined, and their probabilities can be calculated. However, the complex, interconnected nature of modern risks often defies linear cause-and-effect reasoning, and in such cases, conventional risk management approaches may fall short.

We live in a volatile, uncertain, complex and ambiguous (VUCA) world, and companies increasingly face unexpected risks. Examples include extreme weather events such as heat waves, cold spells, torrential rains, tropical cyclones and prolonged droughts. Another example is the unintended consequences of introducing new digital technologies, such as artificial intelligence, which can compromise data security and facilitate cybercrime and the spread of fake news. 

One response to these new phenomena is provided by ISO/TS 31050:2023 Risk Management – Guidelines for managing an emerging risk to strengthen resilience. This standard aims to promote organisational resilience, i.e. to enable organisations to anticipate, prepare for and respond to changes in context. ISO/TS 31050 is an essential tool for effectively managing emerging risks.

Beyond Compliance: Strategic Risk Management

Embedding risk-based thinking into quality management systems extends beyond regulatory compliance. It promotes a culture of continuous improvement, where organisations proactively identify and address risks, prioritise them, and seize opportunities. This strategic approach helps organisations make informed decisions that boost efficiency and competitiveness, driving better performance and sustainable growth.

Combining risk management with quality practices helps prevent adverse outcomes while supporting ongoing improvement initiatives. Organisations that adopt this mindset gain a competitive edge in today’s dynamic business environment, where adaptability and resilience are key.

A Complex Example: Supply Chain Disruptions

Consider a company that sources components from multiple suppliers worldwide. A geopolitical conflict in one region could disrupt transportation, delaying the delivery of critical parts. The immediate impact may be a delay, but ripple effects could include:

• Compromised product quality: Accelerated production or using lower-quality materials to compensate for delays may lead to quality deviations.

• Increased supplier risk: Original suppliers may struggle to meet new deadlines, leading to further inconsistencies.

• Regulatory non-compliance: Substitute materials might not meet regulatory standards, resulting in legal liabilities.

• Customer dissatisfaction: Delays and quality issues could damage customer trust and affect brand reputation.

In this scenario, the disruption’s cascading effects intersect with various quality dimensions, highlighting the need for adaptive, context-aware risk management that considers interconnected risks.

Role of quality infrastructure

Quality infrastructure institutions support risk-based thinking in organisations and economic contexts. Standardisation lays the conceptual foundations and communicates best risk management practices through guidelines such as ISO 31000 and ISO/TS 31050.

Product standards are essential for identifying important risks and contain good practices for preventing and mitigating risks. Process and management system standards expand risk management and, in turn, contribute significantly to product safety and quality. For example, identifying problems and applying corrective actions to the system or process can help mitigate the risk of defects in the final product.

Conformity assessment services help minimise risks between economic operators through testing,certification, and inspection. Conformity assessment begins with identifying the legal and regulatory requirements relevant to the company. This includes EU directives, regulations, and other legal requirements for the company’s products and processes. This process helps to identify potential compliance risks at an early stage. Metrology contributes to risk management in the company by providing the basis for precise measurements, reliable data and well-founded decisions. In production, metrology helps to ensure specifiedtolerances are met and production risks are minimised. Precise measurements ensure product quality and safety, reducing the risk of recalls or liability claims. In medicine and pharmacy, the precision of measurements is crucial for patient safety. Metrological methods help minimise risks in medication dosage or diagnostic procedures.

In the future, integrating artificial intelligence and machine learning into metrological processes is expected to lead to even more accurate and efficient measurements. This will further improve risk management by enabling even more precise identification and assessment of risks.

Due to scarce public resources, market surveillance in most countries and regions, such as the European Union, also follows risk-based thinking. A risk-based approach is applied to determine products, types of checks and the scale of surveillance. Risks are assessed based on the product hazard, economic actors’ records and consumer complaints.

Challenges for quality infrastructure in risk management

The support function of quality infrastructure in identifying, assessing and mitigating negative risks is well documented. By contrast, quality infrastructure services have so far been little used or designed to support companies’ management of opportunities.

Standards should enable companies to search more vigorously and systematically for opportunities that may arise from market environment changes or internal strengths. If companies learned to see new market opportunities behind threats, they could strengthen their competitiveness and perform better in a dynamic business environment.

Conformity assessment services can also be used more proactively. Systematic test results analysis can improve product characteristics, including design and manufacturing processes. Similarly, metrological methods can help companies identify subtle changes and trends in processes and products at an early stage by providing precise measurements. This enables companies to identify and seize potential opportunities in good time.

Overall, the contributions of quality infrastructure to risk management should be considered more carefully and used systematically.

References:

Adam, Patricia A. (2021). Integrated Risk and Opportunity Management – Implementing clause 6.1. Hochschule Hannover.

Auditing Practices Group (2016). Guidance on Risk Based Thinking. ISOCommittee.

Gaucher, Françoise (2017) France: La Poste and ISO 31000, Case Study.

Goetz, Nadja (2014). Revision of ISO 9001:2015 not until late 2026. DQS Global.

Graichen, Frank (2022). Risk-based approach in ISO 9001.DQS Global.

ISO 31000:2018 Risk management — Guidelines

ISO and UNIDO (2021) ISO 31000:2018 – Risk management, A practical guide, Geneva

ISO/TS 31050:2023 Risk management — Guidelines for managing an emerging risk to enhance resilience

Pooley, Tony/ Hogarth, Rob, Risk Bandits (2015): Rescuing Risk Management from Tokenism, Bloomington