We get this question weekly and sometimes daily it seems.
Why? ISO has not defined Risk Based Thinking? And, this is a hugely important question because ISO has elevated RBT to the same level as PDCA and Process in the Final Draft International Standard (FDIS) of ISO 9001:2015.
One of the things we know is the marketplace hates a vacuum. Someone will develop a product or service to fill in the vacuum. This is exactly what we did with RBT.
Risk Based Thinking?
We wrote a 330 page book called Risk Based Thinking this year Why?. ISO has not really defined what RBT is? We have been working with this idea for almost a dozen years. We wanted to share our risk lessons over a dozen years being involved with risk management.
So in general, RBT is a good to great concept for ISO. However, there are problems.
RBT as defined and described by ISO is difficult to operationalize or audit. How do you operationalize or audit Risk Based Thinking? What evidence, artifacts, or data is the auditor going to find based on someone’s thinking? So, how do you read someone’s thoughts? Not unless you have taken and passed a Mind Reading 101 course, you can not audit Risk Based Thinking.
What is Risk Based Thinking?
However, you can audit Risk Based Thinking artifacts and audit trail if we define RBT as:
- Risk based, problem solving.
- Risk based, decision making.™
Why? Both of the above bullets are demonstrable, auditable, and offer verifiable evidence to a Certification Body of conformance, performance, or verification of risk control effectiveness.
We have been advising companies on the above for about dozen years and in our Certified Enterprise Risk Manager(R) and even got a registered mark ® for Certified Enterprise Risk Manager: Risk Based, Problem Solving and Risk Based, Decision Making(R).
Lesson Learned: RBT is a good concept that needs to be operationalized and be auditable. We define it as 1. Risk based, problem solving and 2. Risk based, decision making.