AS9100D – Risk Management vs Risk-Based Thinking: Just What is the Difference?
Risk-Based Thinking requires organizations to consider the risks they face during strategic planning, planning for product and service conformity, management review, and when taking corrective action. The idea is that the organization works to identify risks, decides if action is required, and if applicable, takes action. That said, It is important to note that it is not necessary to track the risk as the project progresses to judge the effectiveness of the action, and whether additional action is necessary.
Risk Management, on the other hand, is a process for identifying risks, determining actions to mitigate those risks, tracking those actions, and then re-assessing any remaining risk after actions are deployed. It involves not just thinking about risk at certain stages during the realization of products and services, but also having a process to track these risks until they are addressed, mitigated, or eliminated.
What is required for operational risk management, and what isn’t?
To start with what is not required – there is a note specifying that while clause 6.1 “Actions to address risks and opportunities” addresses the risks and opportunities for the QMS, clause 8.1.1 “Operational Risk Management” is limited to risks that are associated with operational processes needed by the organization to provide its’ products and services. Therefore, while your organization may identify a QMS risk that your organization might soon have a rival company to compete with, this is not a risk that needs to be tracked according to the risk management requirements, as it is not an operational risk.
There are at least five requirements that an organization needs to consider during the planning, implementation, and control of the operational risk management process. They are:
- Assign Responsibilities – Who owns the process? Who constitutes the Team? Which departments need to be included? If actions are likely to be assigned to a certain department or function, it is best to have them involved in the whole management process.
- Determine Risk Assessment Criteria – What criteria will be used for risk assessment? How will you quantify which risks to accept and what you will mitigate? A note in this clause states that within the aviation, space, and defense industry, risk is generally expressed in terms of the likelihood of the occurrence and the severity of the consequences (a good example of this might be Failure Mode Effects Analysis or FMEA).
- Identify, Assess, and Communicate Risks – Any risk of product failure due to must be communicated to those who design and realize the product. Without effective communication, risk identification is ineffective.
- Identify, Implement, and Manage Mitigation Actions – There are a multitude of ways to address risk, ranging from risk reduction all the way to complete elimination of the risk – or, in other words, try to prevent the risk from happening. If a risk exceeds your acceptable criteria, take actions to address the risk and track those actions.
- Re-evaluate the Risk that remains when mitigation is complete, and continue to work to reduce it – Risk management is an iterative process, where the risk can always be reduced.
Has anything really changed from AS9100 Rev C?
The requirements have remained greatly unchanged since the past revision. Risk management process requirements were already included in AS9100 Rev C as risk management, and the five requirements have remained basically as they were. The real change here is the clarification that these requirements only applied to operational risk, hence the name change in the clause. The other change from Rev C is the addition of the two notes to clarify how these requirements are separate from risk-based thinking and to make it clear that risk in aerospace is a combination of likelihood and severity. For organizations that are already compliant with AS9100 Rev C, the current risk management process should most likely remain unchanged.