Using Corrective & Preventive Actions to Measure & Mitigate Risk

Using Corrective & Preventive Actions to Measure & Mitigate Risk

   Risk Reduction Using Corrective/Preventive Actions in ISO 9001

A Common Sense Guide for Hospitals Using NIAHO/ISO 9001

A Measurement Strategy

Wes Chapman

June 22, 2014

     Measuring Risk

Risk Reduction via the CAPA System

This is the third in a series of quick lessons in the 6 required documented procedures of ISO 9001 – 1) Document Control, 2) Record Control, 3) Internal Audit, 4) Control of Non-conforming Product, 5) Corrective Action, and 6) Preventive Action. These lessons are for hospitals’ adopting ISO 9001 – and this one is focused on risk reduction using the corrective and preventive action procedures required by ISO. These are designed to be 10 minute reads – introducing some concepts that I’ve found valuable.



ISO is pretty straight forward about fixing problems – including both corrective and preventive actions – “…The organization shall take action to eliminate the causes of [potential] nonconformities [defects, failures and problems] in order to prevent their [occurrence] recurrence. Corrective actions [preventive actions] shall be appropriate to the effects of the [potential problems] nonconformities encountered. (Section 8.5.2 & .3 [preventive actions])”

Burning oil rig

Inadequate Consideration of Risk

Paraphrasing from the standard, this requires: 1) Review of actual and potential problems, 2) determining the root cause of the problem(s), 3) Evaluating the need for action, 4) Determining, implementing and documenting (in P&Ps) the action required, and 5) Reviewing the effectiveness of the actions by using data. In layman’s terms – identify the problem, determine the root cause, plan the fix, fix it, and prove that it was actually fixed with real world data.

Risk Sign

CAPAs – the best place to address risk in your quality system

The CAPA Cycle

CAPA Cycle

Just as I suggest incorporating risk analysis and mitigation in documentation (Making Sense of Documented Procedures in ISO 9001 – A Common Sense Guide for Hospitals Using NIAHO/ISO 9001), risk mitigation has a central role in effectively dealing with corrective and preventive actions – CAPAs. This is a “five questions” step process:

1) Examine the non-conformance – what went wrong, and was the risk properly evaluated in the original procedures – was it a high risk procedure?

2) Does the Root Cause Analysis (RCA) define the fundamental problem and risks?

3) Does the process re-design consider risk, and is risk clearly mitigated as part of the corrective action?

4) Does the process redesign consider and utilize countermeasures to risk of severity and re-occurrence?

5) Does the test for effectiveness of the CAPA include any consideration of risk mitigation?


Incorporate Risk Analysis & Mitigation into your CAPA Analysis


 Examine the non-conformance – what went wrong, and was the risk properly evaluated

At a minimum CAPA documentation and analysis should include:

  1. Any prior risk scoring of the procedures covered by the CAPA, as well as any prior risk mitigation efforts such as Failure Mode Effects Analysis (FMEA).
  2. Any related regulatory risk reduction such as Serious Reportable Events
  3. Discussion of metrics to measure forward – any early warnings that similar problems are developing
  4. Circuit breakers to prevent cascading failures – true catastrophes usually start small and then snowball into disaster.
  5. Specific documented updates and changes to procedures and processes together with a data monitoring plan.


No CAPA is complete without risk mitigation, and risk mitigation never happens by chance. One of the best tools available for risk analysis and mitigation is the Bow Tie analysis. This is a highly structured analytical process used to address high risk processes – stay tuned for more about this in the next blog in this series.

Wes Chapman
Written by Wes Chapman

No comments yet.

No one have left a comment for this post yet!