Designed to benefit: Risks & Opportunities in ISO 17025

A good system recognises the strategic benefit of minimising risk and maximising opportunity.

The new ISO/EIC 17025: 2017 standard puts extra emphasis on this by promoting risk-based thinking, preventive action and process design. It is about optimising your organisation’s overall strategy by planning, taking, and recording actions that prevent risk and enhance opportunity.

There is no need for a formal risk assessment process (although these can be very useful and even fun to do). The implication is that your system will alert you to risks and opportunities because it will be based on a proactive, risk-based approach embedded into your operations.

It’s a balancing act

Risk and opportunity is not an either-or thing  – you are weighing both all of the time as one usually corresponds with the other. If I avoid x I will attain y. If I attain y I will avoid x. Likewise, assessing risk in the context of a laboratory must be viewed with the organisation’s overall strategy in mind.

The concept in the new requirement (clause 8.5.1) about action on risk and opportunity comes from ISO 9001:2016, which has a strong customer focus. ISO 17025 and ISO 15189 are standards written by laboratory people experienced in what can go wrong. They are designed to ensure that testing-related risks are managed, including business risks such as reputational damage. By complying with these international standards and having accreditation, you are addressing all the areas of risk (and opportunity) for a testing service.

To give you an idea of some relevant risks and opportunities below is an example of factors that would need to be assessed by senior management if you received a request to do on-site testing for the first time. As you will see, many of these are interrelated and require consideration of the bigger picture.

These are just some of the risks and opportunities that might typically be identified before embarking on a new area of testing. Once these have been identified, measures will be put in place to manage, revisit and continue to identify risks and opportunities going forward.

It is likely that your laboratory is already employing actions stipulated by the new standard. But how do you demonstrate to NATA that you have addressed the new requirement (clause 8.5.1) for action to be taken on risks and opportunities, and if your system needs updating to meet the requirement, how extensive an overhaul does it need and what are some approaches to take? Below, we’ve outlined three ways that we’ve seen laboratories address the “new” requirement in ISO 17025 and (not-so-new) in ISO 15189:

1. Explain how you already control risks

Include a section in the quality manual outlining the measures already in place to manage known risks and to identify new or unidentified risks. Bear in mind that any risks and opportunities identified through these processes must have corresponding records to show what decisions were made about actions to address these.

A laboratory within a larger organisation may find this is enough, as bigger-picture risks will be handled by the company.

2. SWOT analysis

Many of our clients run their own SMEs. They may do a SWOT analysis every couple of years and find them to be useful tools that ensure they have taken some time to think outside the square about risks and opportunities. They may then decide to put some of the issues identified on the agenda of their management review meetings. This way they do get followed up periodically, and perhaps incorporated into plans for business growth. The important thing to bear in mind with a SWOT analysis is that it is a creative task that works best when you do it quickly, preferably under some time pressure.

The SWOT analysis ties into the ISO 9001 theme of identifying external (as well as internal) factors when considering the context of the organisation. Other useful tools include PEST and PESTLE, which provide more prompts for where the opportunities or risks may lie.

3. Formal risk assessment

Some (usually larger) organisations who are introducing new tests all the time find doing a risk assessment for each new technique or test is a reliable way to ensure they don’t head down a path that is only going to waste time and money. These risk assessments need to cover all conceivable risks, not just safety. If you have to produce a business case for the new tests, much of the information will overlap. Although this may sound like a huge task, once you’ve done one, the others will be much quicker, and if you are using established systems, many of the risks will already be controlled.

How to make sure you’ve got everything covered? Use the headings from the laboratory accreditation standard of course!

Take-home message

The key to all of this is to have records of what action you have decided to take on any risks and opportunities identified, and ultimately how well you did in controlling that risk. Does this sound a bit like a corrective action report (or your equivalent)? Do you have a form where you record staff suggestions too?

We know some labs that use these types of reports to cover any actions arising out of management reviews – that way they don’t have multiple systems to keep track of things and their NCA, CAR, CAPA, OPI, QIP or MAD system gets a good work-out.

Review how you are currently running your business in terms of managing risks and opportunities and you might find you don’t need to implement anything new, or you might just need to tweak a current process here or there.