Risk-Based Thinking: Protecting Your Organization and Ensuring Compliance with ISO/IEC 17025:2017

There’s a lot of buzz around the concept of “risk-based thinking” right now. No doubt much of it is due to the additional requirements that accompanied the release of ISO/IEC 17025:2017. As a Quality Professional, what do you do if you suddenly find yourself tasked with documenting the risks and mitigation measures of your organization? Our partnership with several accrediting bodies has allowed us to dig a little deeper into this topic and we’re happy to share what we’ve learned!

This blog will take a closer look at what risk actually looks like, how auditors are assessing risk (and your reaction to it), and introduce a new feature, the Qualtrax Risk Assessment Workflow with a corresponding Risk Register Report, that we have developed to simplify this process and lighten the burden of compliance. Let’s dive in … but not head-first – that’s risky!

Watch our Webinar on Risk-Based Thinking

What is risk?

Simply put, risk is the possibility of loss or injury. For perspective, let’s look at this from a more familiar angle. Have you ever signed up to play on the softball team at work? On the surface, this seems like a pretty low-risk endeavor, but every year hundreds of people are treated for softball-related injuries, including some that result in missing substantial time at work.

Sure, the risk of injury is low, overall, but there are several factors you probably consider (consciously or subconsciously) when evaluating your decision to play. Have you ever played baseball or softball before? If so, your understanding of the physical demands of the game gives you the advantage of experience, perhaps putting you at lower risk. Even if you weren’t very good, your experience has taught you what you are capable of and what you know is beyond your ability. If you’ve never played before, on the other hand, you may be at greater risk for injury because you’re more likely to make an ill-advised diving attempt or slide awkwardly into third base.

On top of this consideration, you must also factor in that not all injuries (risks) have equal consequences. Jam a finger or pull a hamstring? Take two ibuprofen and show up at work the next day. Sprain a knee or break an ankle? Well, you might be reaching that insurance deductible sooner than expected.

The overarching questions you ultimately have to ask yourself are:

1. 1. What level of risk am I willing to tolerate?
   2. What plan can I put in place to mitigate the risk?
   3. How will I respond if an injury does occur?

You see? You are already familiar with risk-based thinking. You do it all the time, whether it’s joining the softball team, choosing a daycare for your kids or deciding whether or not to eat that leftover Mexican food that’s been sitting in your fridge for a week.

The same principles apply when you’re looking at risk assessment and mitigation for your organization. The primary difference is in how you document it.

How has ISO/IEC 17025:2017 changed the game for Quality Managers?

The key to the new requirements of ISO/IEC 17025:2017 is understanding the concept of risk as it relates to management systems and how the accrediting bodies are going to evaluate organizations that are required to consider, address, record and monitor risks.

Risks that your organization may face include, but are not limited to: process risk, project risk, service risk, risk to reputation, risk to impartiality, and risk to interested parties. If you’re looking for additional guidance, two documents that may provide a helpful overview of risk are ISO 31000, which speaks specifically to risk management more formally, and ISO 31010, which speaks to the idea that there are many ways to approach risk.

Historically, this responsibility has been delegated to the upper and supervisory management levels, where risk is addressed both proactively and reactively. When risk is assessed reactively, the methods put in place to address the nonconformity and the ensuing “damage control” can derail an organization’s processes and jeopardize the quality of their work and customer relationships. The change in the ISO/IEC 17025:2017 requirements is intended to shift this approach to one that is more proactive. When the decision-making role is implemented at the lowest level possible – spread across all levels of management – there is more room for continuous improvement, which is the overarching goal of the standard.

The ideal outcome is that organizations will become healthier. By moving risk management to the front end of the quality process and addressing it proactively, an organization will feel empowered to change based on the value to the customer, not solely based on risk to the organization itself.

Risk Mitigation: Determining your tolerance for risk, what you should you look for in a QMS, and what your auditors will be looking for

There is more than one way to assess and address risk. The ideal QMS solution will allow your organization the option to manage risk both qualitatively and quantitatively, giving you flexibility to be creative with your risk management approach. In risk management, there are typically three descriptors an organization might use to manage risk:

1. 1. 1. Severity or impact
      2. Likelihood or frequency of occurrence
      3. Ability to detect a change in the event

An organization should be able to choose if it would like to use one, two or all three descriptors to manage its risk.

A qualitative approach is based on words or colors (e.g., red, yellow, green), and a quantitative approach assigns values to the descriptors and levels of risk (e.g., extreme, high, moderate, low). Both approaches are evaluated to determine action levels and, ultimately, drive a corrective or improvement response.

One example of how to implement this could be the use of a “heat map” to assess risk based on a) the severity of a risk; and b) the likelihood of occurrence. Let’s say your organization rates severity and likelihood on a scale of 1-5, with 1 being unlikely and of little consequence, and 5 being a very likely, worst-case scenario.

These two scales are multipliers, which will give you your final score. So, for example, if the severity of risk is a 3 and the likelihood of occurrence is a 4, the final score for that risk would be a 12. It is up to your organization to determine what your tolerance threshold is. If you determine that anything over a 15 requires a corrective action, then this example would indicate that no immediate action is necessary, but you may want to flag this item and re-evaluate it at more regular intervals. If the severity and likelihood are both fives, on the other hand, you’re looking at a score of 25 and something is probably on fire!

If you do identify a risk that has a score well above 15, or whatever value your organization determines as its risk threshold, it’s perfectly fine to decide that the item is too risky and that it’s more prudent to abandon the process or component you’re considering. In all cases, the critical step is to have a defined process in place to implement necessary changes to mitigate those risks and be able to show that a change was made.

Because the standard does not explicitly define how you assess risk, your organization has the flexibility to determine how you want this process to work. Using your QMS to evaluate risk is an excellent strategy as long as the platform you’re working on offers you that same flexibility.

Accordingly, Quality Professionals should expect their QMS to do the following:

1. 1. 1. Allow an organization to determine how it would like to establish and evaluate risk levels (qualitatively or quantitatively).
      2. Allow the organization to define its objectives, risk mitigation triggers and monitoring tools, and then record risk in its own table or database or embed it in a process or subprocess as part of the process flow.
      3. Report on the effect of risk monitoring and management.
      4. Develop action plans resulting from these reports to mitigate risks where appropriate.

Ensuring that your organization is compliant can feel stressful because the standard allows for flexibility in how you choose to manage your risk. In fact, in speaking with our accrediting body partners, we’ve learned that the biggest fear for most organizations is that they are not meeting the requirements of the ISO standard.The truth of the matter is this: your organization is already managing risk. The accrediting bodies are simply asking you to show them how you’re doing it.

From an assessor’s perspective, if there are areas they determine don’t need to be addressed, they don’t need to see a change. If there is an area they deem risky and a change needs to be made, they will want to see that change implemented. All they are doing is looking for change.

What about those areas of risk though? Would that be a major finding? Minor finding? Just a recommendation? In speaking with our partners, the most common scenario is not that an organization has missed a risk altogether, but simply isn’t documenting a full plan around each identified risk, which could include not addressing it at all. In most cases, these will be marked as observations and opportunities for improvement on your first audit to ISO/IEC 17025:2017, rather than a finding.

Nugget of wisdom: Focus less on assessing risk for your audit. Spend more time assessing the risks your organization identifies through serving your customers. React to the things that drive your business and your business goals and you will have risk covered. Evaluate your risk to your customers first, then go back and check with the body that is accrediting you. Your customers drive your business and success!

The Qualtrax Solution: Introducing the Risk Assessment Workflow

Wouldn’t it be nice if there was a tool out there that enabled you to track and document your risk? How much easier would your life be if you could simply run a report that would sort your risks and opportunities according to the qualitative and quantitative markers you’ve assigned them? Oh, and what if you could build your own custom workflows to take action on different risks as they evolve at different stages of the process, helping you identify those risks as they emerge and giving you the flexibility to re-assess and monitor on your own schedule? And the kicker? What if you didn’t have to pay any extra for a new module or add-on to get access?

Great news! The team at Qualtrax is proud to announce the release of its Risk Assessment Workflow and Risk Register Report!

We teamed up with our accrediting body partners to determine the ideal suite of options to include in our new workflow, which comes standard with your Qualtrax subscription. The best-in-class Risk Assessment Workflow is available for immediate download to current Qualtrax customers. If you would like to add the Risk Assessment Workflow to your system, please contact our services team to get started. The best-in-class version includes all the tools you will need to get started on the path to risk mitigation compliance with the guidelines discussed and outlined above.

As with all Qualtrax workflows, however, the best-in-class versions are just the tip of the iceberg. We offer the unparalleled ability to customize your Risk Assessment Workflow to fit processes that are unique to your organization. If you are a seasoned Qualtrax veteran, you already know how valuable this unlimited flexibility can be! If you’re new to our platform or would like assistance in building a unique process to suit your organization, we have a dedicated service team ready to work with you to build a custom workflow and load it into your system.

New to Qualtrax and ready to cross risk mitigation off your compliance to-do list? Contact us today to schedule a demo with a member of our sales team and learn just how powerful the Qualtrax platform is!

Categories: Compliance Management, Risk, Testing Labs

Back to Blog