Get 4 FREE months of Conformio to implement ISO 27001

How to address risks and opportunities in AS9100

The latest version of AS9100 Rev D includes two separate considerations for addressing risk in the aerospace quality management system (QMS). One is new to the standard: clause 6.1 Actions to address risks and opportunities and comes from incorporating ISO 9001:2015. The other, clause 8.1.1 Operational risk management, was included as a part of the requirements for aerospace after the previous version of AS9100 Rev C. While both sections involve understanding the risks that are present for your organization and determining what you will do about them, each has a separate application within the QMS that needs to be understood.

Actions to address risks and opportunities

Clause 6.1 is a new section of the standard and brings in the concept of risk-based thinking as it was introduced into ISO 9001:2015. This section talks about identifying risk for the QMS at the top level of the planning process. It also requires you to identify these top-level risks and determine if anything needs to be done about them. If you do take action, it is important to incorporate these actions into the regular activities of your QMS so that they are not forgotten or overlooked.

As these are top level risks for the organization, the concept is to address these at the highest level. In fact, you may already have activities in place to look at strategic organizational risk. For instance, many companies have business planning processes that look at the risks to the business and the opportunities that could be present, such as the use of a SWOT analysis (strengths, weaknesses, opportunities and threats).

The use of a SWOT analysis in business planning will also include making plans to address the risks and opportunities identified, which is also required by the AS9100 Rev D standard. For instance, if you identify a risk that a key component in your product or service will become obsolete, you can make the plans necessary to find a replacement before your customers are impacted. Another example may be the risks or opportunities presented by learning that a supplier or competitor is going out of business, and that it may affect your company.

If you already do this as part of your business capture strategy, then you are already meeting the requirements of clause 6.1 of the AS9100 Rev D standard; if not then this is certainly an industry best practice that you could adopt. Remember, the format of this identification is not mandated, so you can look at these risks and opportunities in any fashion you wish.


Operational risk management

Clause 8.1.1 on operational risk management is not a new requirement for AS9100, and is very much the same as the previous revision of the standard. As identified in Clause 8.1.1, Note 1, the requirements are much more limited than for the clause 6.1, and are limited to managing the risks associated with the operational processes needed to provide products and services. This clause talks about how you control risks such as potential schedule delays, short delivery schedules, high-risk parts, etc. For these risks you need to identify the risk, determine your action, and then control the risk.

It is important to note that this is expected to be a full risk management process. You not only identify the risk and make necessary plans to address it if needed, but you also track the risk until it is no longer a risk. So, even if you choose to do nothing to address the risk, you will still need to monitor it until the point in time that it has passed. An example would be identifying the risk that a critical component would be late from a supplier for which you can take no action, then keeping an eye on the delivery until the part was actually delivered to your organization.

For a better understanding of what is needed for operational risk management, see the article: 5 key elements of risk management in AS9100 Rev D.

AS9100 risks and opportunities: How to address them

Why look at risk in the aerospace QMS?

Understanding risk and determining if you need to do anything about each risk is a key element for companies that want to survive in an ever-competitive marketplace. In order for your business to thrive you need to identify, in some manner, what risks you have and how they can affect you. Then you need to determine what, if anything, you need to do to prevent these risks from adversely affecting your organization.

However, as always, it is important that you find the best way for your organization to do this activity to address your risks and opportunities. This can be as simple as brainstorming for your SWOT analysis and then deciding if you need to do anything about the risks that are identified. This could then lead to a management process for the operational risks you have determined as necessary for monitoring. This process is there to benefit your business, so do not take extremely expensive steps to implement this system if it is not required for you.

Always remember, a quality management system is there to benefit your business, not to cost you excessive amounts of money to run. So always do what is best for your business.

For a better understanding of the AS9100 Rev D standard, see this white paper Clause-by-clause explanation of AS9100 Rev D.

Advisera Mark Hammar
Author
Mark Hammar
Mark Hammar is a Certified Manager of Quality / Organizational Excellence through the American Society for Quality and has been a Quality Professional since 1994. Mark has experience in auditing, improving processes, and writing procedures for Quality, Environmental, and Occupational Health & Safety Management Systems, and is certified as a Lead Auditor for ISO 9001, AS9100, and ISO 14001.