Font size: +
4 minutes reading time (820 words)

AS9100 Clause 8.1.1 - The Operational Risk Management Requirement

Throughout the whole AS9100D standard, risk-based thinking is an important thread. In clause 6.1 you are required to look at the risks (and opportunities) linked to the quality management system of the organisation, now AS9100D wants you to focus on even further.

The whole point of the 5 points in clause 8.1.1 of AS9100 is to get you to understand the risks linked to your operational processes needed to create your products or services.

Operational Processes

Think about that for just a minute, this small clause is asking you to understand the risks linked to each of your operational processes of your organisation, that's not a small task. When the standard talks about operational processes it's not looking at the big bucket of "Manufacturing" it's looking at what are the processes within the manufacturing that you need to understand, that means you need to break your manufacturing down into the various stages and understand the risks in each one. Similarly, it's not looking at your warehousing, it's looking at Goods Inwards, Stock management, Stock issuing and so forth. You need to think about similar for your other processes such as purchasing, quality assurance, packaging, despatch and so forth. The easiest way to start to understand where you should be grouping your risk assessment is to map the processes start to finish. A tool that can help you here is to consider creating a SIPOC (Supplier, Input, Process, Output, Customer) analysis of each of your process blocks to truly understand the key elements of that process.  

Clause 8.1.1 Requirements

As we pointed out previously there are 5 points you need to consider in order to meet the requirements of this clause and really what they are outlining is good practice risk management which is largely in line with ISO31000 requirements.  

a. Assignment of responsibilities for operational risk management

Someone needs to be the owner of the risk to ensure that it's truly managed, otherwise it's not really managed is it. Importantly, keep in mind that you want to make the role responsible, not the actual person, as names will change over time.  

b. Definition of risk assessment criteria (e.g., likelihood, consequences, risk acceptance)

You need to document the risk assessment criteria that you will use to evaluate the operational risks that you find. While there are multiple different styles of risk template you can use, the AS9100 standard reminds you that within the aviation, space, and defence industry, risk is generally expressed in terms of the likelihood of occurrence and the severity of the consequences. The likelihood multiplied by the severity gives you the risk level. The last part of this requirement is to define the point at which you will accept the risk and progress, above that point you need to take action to reduce the risk.  

c. Identification, assessment, and communication of risks throughout operations

Once you have your criteria, then it's time to identify the operational processes and carry out the assessment. Any risks that you do find need to communicate to the organisation, especially to the people involved in that operation, so they understand what they need to look out for.

d. Identification, implementation, and management of actions to mitigate risks that exceed the defined risk acceptance criteria

The next part of any good risk assessment is to look for actions you can implement to eliminate or reduce the risk that you have found. Clause 8.1.1 of the AS9100 standard requires you to do just this. For anything you find that is about the level of acceptable risk you defined in your risk assessment criteria, you must document the actions you are going to take (and you need to take those actions) to reduce the level of risk associated with the operation.  

e. Acceptance of risks remaining after implementation of mitigating actions

The final step in the risk assessment process is to reassess the level of risk remaining after you apply your mitigation actions. The aim being that your residual risk assessment produces a lower level of risk of your risk criteria, hopefully one that is within your acceptable range. That's not always possible, hence you need to ensure those living with the risks are clear about you as an organisation have decided to manage those risks.  

Regular Risk Reviews

While the AS9100D standard isn't explicit about having to do reviews of these risks on a regular basis, that's just good practice. Everything changes over time, suppliers change, employees change, machines, processes and even the environment. Entropy is real, any system you put in that isn't reviewed and managed will deteriorate over time, planning ongoing reviews of the operational risks will help you minimise this and also potentially help identify new risks that have been missed or introduced over time.  

Ready To Start Your AS9100D Journey?

Make a booking now and find out how we can help you Make Things, Better

Ready To Start Your AS9100D Journey?

Make a booking now and find out how we can help you Make Things, Better
Mango Logo

Simplify AS9100 with Mango

Stop waiting time with multiple different systems, see how Mango can manage all of your AS9100 requirements in one fully integrated solution.

Make a booking now to see how simple it is to integrate your systems, reduce paperwork, save time and be compliant.
Mango QHSE Compliance Software made simple
Reclaim your precious time


© Many Caps Consulting | All Rights Reserved

Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

AS9100 Clause 8.1 - The Operational, Planning & Co...

Related Posts



No comments made yet. Be the first to submit a comment
Saturday, 28 January 2023

Captcha Image

Subscribe to Our Newsletter

To Get Regular Updates on ISO | Lean | Free Resources
Sorry we need your name
Invalid Input - Sorry we need your last name here
Sorry Can you just check your email address as well
Invalid Input

Latest Blog Post

Trees That Count
memeber of New Zealand Institute of Directors