While risk-based thinking is a new term in the 2015 version of ISO 9001, the concept of risk management is not new to the insurance industry.
Many companies already have some sort of risk management process in place and much progress has been made to formalize these processes and even use them for regulatory purposes. Another step forward is the introduction of the ISO 9001:2015 standard, which includes a focus on risk-based thinking that could benefit the industry.
ISO 9001:2015, which defines risk-based thinking even more than its predecessor ISO 9001:2008, is giving thought to considerations that are similar to an actuarial analysis. Actuarial analysis (as paraphrased from The Free Dictionary By Farlex) is the evaluation of the risk of loss to an investment done. The actuary performing this analysis uses varying types of statistical models and mathematical methods to complete the task. This is similar to ISO 9001:2015, as the standard also encourages organizations to establish a business model and clearly define their methods as part of a structure to support the decision making process and promote the business. This is accomplished by clearly establishing, and in some cases, defining repeatable processes and controls for use by competent personnel. When used as a foundation, ISO 9001:2015 can help life insurance businesses evaluate risk in relation to the needs of their own organization. This promotes the type of structure needed by that organization to sustain its purpose.
The purpose of the organization is driven or controlled by value and that value tends to be monetary.
In other words, good service, delivered on time, while making money today and positioned to make money again tomorrow. While ISO 9001:2015’s ability to help an organization with this pursuit of value is not new, the use of risk-based thinking to ensure that risks and opportunities are accounted for in relation to value is new.
This risk-based thinking may involve some sort of risk tool or methodology, much in the same way as the actuary. ISO 3100 is an excellent resource for a more formal approach to risk-based thinking. While the use of a risk tool or methodology is desirable, it is important to recognize that ISO 9001:2015 does not require a formal risk method or model. Another method to account for risk, is for the “risk tool” to actually be the management system itself. In essence, development of a management system centered around ISO 9001:2015 can serve as the risk-based thought process an organization employs to satisfy this requirement. To make this work, it is important to start with an understanding of competence, definition, and control.
Every process or activity has a point of reference for how the organization ensures that process or activity was established and can be sustained.
In many cases, this is based on the competence (i.e. education, skills, training, or experience) of those fulfilling the process or the task either had when they took on the role or was developed into it. In essence, the person or persons involved were either hired because they already had all of the competence needed, or the organization needs to understand the level of competence this person or persons have or will need and bring them to that level.
This competence may be complemented by:
- process definition, such as a procedure or checklist,
- process control, such as an alarm that goes off if there is a need to act or a computer program that will not let the user enter incorrect data,
- or a combination of definition and control.
In the example provided, competence was the starting point for the approach used by an organization to sustain that process or activity. The starting point is not limited to competence and could be process definition or process control, complemented with definition and/or control as needed. An example would be a process where personnel are scanning claims into a computer and the scanner has controls to track the number of scans made for a data set and has a built-in feature that can assess legibility of the scan. In this situation, competence may simply be to understand how to load pages into the feeder. If there is more to the process, some sort of procedure or checklist may be used to provide definition to support competence and maintain control. If this is the approach employed, competence now includes the original need to load the machine and the ability for persons involved to read and comprehend the procedure or checklist included in the process.
In this example, the key to risk-based thinking is to understand the starting point (i.e. predominant component) as the process or activity is right now, and to determine whether the answer is one, all, or a blend of two or more components of competence, definition, and control. This is a way to eliminate or greatly reduce the effect of process variation by determining the levels of each component. In other words, if all processes or activities are accounted for by looking at and addressing the needs of each through the lens of competence, definition, and control, a simple and effective means of risk-based thinking has been achieved.
While an organization may choose to use a more commonly accepted approach to risk analysis (e.g., a risk tool centered around failure mode and effects analysis or FMEA), there will still be a need to address the risks identified as part of an overall management system where ISO 9001:2015 is the foundation. Thinking of risk as part of an overall plan and taking action to eliminate or greatly reduce risks supports the insurance business’ ability to continue to provide good service, on-time, while making a profit today and into the future.
Visit ASQ Quality Management Standards for more information on ISO 9001:2015 and ISO 3100:2009 (ANSI/ASSE Z690.2-2011 in the U.S.).
About the authors
ROBERT FREEMAN is president of Practical Perspectives in McKinney, TX and a recognized authority in quality management systems for a variety of industries including insurance. He is a member of the U.S. Technical Advisory Group to ISO Technical Committee 176 Freeman is a senior member of ASQ, a registered lead auditor for ISO 9001, and an ASQ-certified quality improvement associate.