The AIHA Laboratory Accreditation Programs’ implementation of the 2017 update of ISO/IEC 17025, General Requirements for the Competence of Testing and Calibration Laboratories, created some confusion and angst within the laboratory community. The primary cause of this unsettling was the introduction of “risk-based thinking,” a management model that essentially places responsibility for defining and organizing a laboratory’s policies and procedures directly on laboratory management. Why was this a problem? Because laboratories were accustomed to having policies and procedures defined by the accrediting body (AIHA-LAP, in the case of industrial hygiene laboratories) rather than assuming that responsibility themselves.  It is ironic that the introduction of ISO/IEC 17025:2017 created this concern. A decade earlier, the laboratory community had expressed mild outrage about the 2005 update of ISO/IEC 17025, which introduced few, if any, changes; it merely formalized guidance from an earlier standard (ISO Guide 25, now withdrawn) that the laboratory community had been using for years. But at the time, the 2005 update was criticized for being overly prescriptive. Now, people are finding fault with the 2017 version’s supposed lack of structure. 
No doubt there are considerable differences between the 2005 and 2017 versions. The 2005 standard managed risk for the laboratory by defining policies (nine of them), procedures (more than thirty), specifics on staffing, and management positions (including technical manager and quality assurance manager and their qualifications). The 2005 standard also included requirements for a laboratory’s quality manual and its organization. Perhaps motivated by recognition that each laboratory has some level of uniqueness, the developers of the 2017 version instituted a pure management approach rather than the 2005 standard’s more prescriptive approach.  The 2017 standard necessitates only eight policies and ten procedures. It removes requirements for management qualifications; specific positions such as technical manager and quality assurance manager and their corresponding job descriptions; and the requirement for a quality manual. The management positions, policies, and procedures defined in the 2005 version have been replaced by the concept of risk-based thinking.  RISK-BASED THINKING IS NOT ALL DOOM AND GLOOM  Risk-based thinking is an integral part of any organization’s management system. It allows management the flexibility to determine which risks need to be addressed and how to address them. Unlike ISO 31000, Risk Management, the 2017 version of ISO/IEC 17025 does not require formal methods for risk management or a formally documented risk management process.  In my mind, one of the biggest hurdles to risk-based thinking is the perception of the word “risk,” which the Oxford Dictionary defines as “exposure to the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility.” This definition emphasizes the potential negative consequences associated with risk. However, as defined in ISO/IEC 17025:2017, risk-based thinking encompasses both negative and positive risks.  For clarity, we can define a negative risk as a potential event that could have an adverse outcome needing correction and a positive risk as a potential event (an opportunity) that could have a desired outcome meriting pursuit. The goal of risk-based thinking is to minimize the negative risks in our operations and maximize the positive risks. As mentioned, an important aspect of ISO/IEC 17025:2017 is that identifying and addressing an operation’s risks are based on decisions made by laboratory management. The standard suggests a formula for evaluating the importance of each risk where risk equals the probability of occurrence multiplied by the impact of the risk on the operation if it is not addressed. This formula allows each operation to manage its risks as it deems appropriate. And, as explained in section 8.5.3 of the ISO/IEC standard, management can decide to do nothing in response to either a negative or positive risk.  ISO/IEC 17025:2017 addresses risk-based thinking in eleven sections of the standard: 

• Foreword
• Introduction
• Section 4.1.4 and 4.1.5—Impartiality
• Section—Decision Rules
• Section 7.10.1—Nonconforming Work
• Section 8.1—Management System
• Section 8.5.1—Identifying Risks
• Section 8.5.2—Actions
• Section 8.5.3—Ranking Risks
• Section 8.6—Improvement
• Section 8.7—Corrective Actions
• Section 8.9—Management Reviews

The starting point for implementing ISO/IEC 17025:2017 is selection of the management system approach and the options defined in section 8.1. An operations management system defines the policies, processes, and procedures that ensure the organization addresses activities critical to  achieving its objectives. These activities include strategy, tactics, operations, and compliance with the organization’s policies. A strong management system enables organizations to improve the quality and consistency of their services. 

Under ISO/IEC 17025:2017, two options for applying the management system are available—Option A or Option B. Both options involve the same type of risk-based approach. Option B allows laboratories certified to ISO 9001, Quality Management Systems—Requirements, to be recognized as having fulfilled the intent of the management system requirements outlined in ISO/IEC 17025:2017. Since ISO 9001 certification is not common in laboratory operations, we will focus on Option A: creating a management system according to the ISO/IEC 17025:2017 standard.  CREATING A MANAGEMENT SYSTEM Section 8 of ISO/IEC 17025:2017 defines the required aspects of the management system. These aspects include:
• Section 8.2—Management System Documentation
• Section 8.3—Control of Management System Documents
• Section 8.4—Control of Records
• Section 8.5—Actions to Address Risks and Opportunities
• Section 8.6—Improvement (Enhancing Opportunities)
• Section 8.7—Corrective Actions (Process of Addressing Risks)
• Section 8.8—Internal AuditsSection 8.9—Management Reviews

The application of risk-based thinking is defined in section 8.5, Actions to Address Risks and Opportunities. Application of the risk-based principles in section 8.5 allows laboratory management to decide which risks and opportunities are important to their operation and which actions will be taken to address those risks and opportunities. While the standard allows considerable leeway in identifying risks and opportunities, it requires the operation to ensure that its management system achieves its intended purpose, enhances opportunities, reduces undesired outcomes, and improves over time.  Make no mistake: implementing risk-based thinking requires considerable effort and involves the entire laboratory operation. A good starting point for understanding what needs to be considered in the risk-based thinking process is the discussion of impartiality in section 4.1. The need for impartiality applies to all aspects of an operation. Impartiality ensures that the organization maintains objectivity, fairness, and open-mindedness, and avoids conflicts of interest. Since business operations often change in accordance with market demands, client requests, and staffing, risk-based thinking is not a one-time event. It is a constant reevaluation of an operation’s priorities. Risk-based thinking can be applied by constructing an outline of those identified priorities. The laboratories’ priorities can be identified through analysis of an organization’s strengths, weaknesses, opportunities, and threats (SWOT); management reviews; internal audits; customer feedback; and networking events. In any case, all organizations have three major areas where risk-based thinking is needed: organizational structure, operational structure, and competitive position in the marketplace. Using these areas as a starting point, the next step is to define the components of each area and the processes within each component. An example of the outlining concept is provided in Table 1. For each component in the outline, identify the risk (or opportunity) and its consequences, probability of occurrence, and severity of occurrence, as well as the organization’s ability to detect the occurrence. Examples are shown in Tables 2 through 4.
Using the information from Tables 2–4, the next step is to prioritize each risk or opportunity. Prioritizing can be accomplished using the following formula:  Risk Rating Priority = probability x severity x detectability Each operation needs to create its own scoring system for the Risk Rating Priority. An example is shown in Table 5. The last (and probably most important) step in applying risk-based thinking is to define the actions associated with each priority. The example in Table 6 depicts turnaround time as both a risk and an opportunity. For risk-based thinking to be truly productive, each risk or opportunity must be thoroughly vetted within the operation, but the vetting process should be kept relatively simple. As seen in the Priority Score (Table 6), the organization has prioritized maintaining current turnaround targets (a Priority Score of 50) versus reducing turnaround targets (a Priority Score of 25). An important element of risk-based thinking is the facilitation of ongoing feedback from staff and customers, management reviews, and internal audits. These allow an organization to continually monitor and address risk/opportunity.  
Table 1. Sample Outline of Organizational Priorities
Table 2. Probability Score Example
Table 3. Severity Score Example
Table 4. Detectability Score Example
Tap on any of the tables below to open larger versions in your browser.
Table 5. Risk Rating Priority Example
Table 6. Sample Analysis of Turnaround Time
BENEFITS OF RISK-BASED THINKING Compliance with ISO/IEC 17025:2017 requires each laboratory to show evidence that risk-based thinking is a part of its management system. Labs must demonstrate that they identified and prioritized risks and opportunities, and identified actions for each risk and opportunity. If no actions will be taken, labs must produce a statement explaining their reasons. There is no set number of risks and opportunities to consider, but each operation must, at a minimum, show evidence of risk-based thinking related to impartiality, confidentiality, validity of results, and nonconforming work. Management reviews must also show evidence that discussion of risk-based thinking outcomes and progress is performed.  When done diligently, risk-based thinking will increase organizational effectiveness, improve operational efficiency, maintain quality standards, serve as a basis for continual improvement in both technical and business practices, and identify opportunities to go above and beyond. Perhaps the most important benefit of risk-based thinking is that it promotes growth and increased profitability by making all aspects of the business more transparent to management. That transparency allows management to understand both the negative and positive influences on their business investment and take appropriate steps to minimize negative and maximize positive priorities.  There is no doubt that risk-based thinking requires a significant initial time investment. Making risk-based thinking a group effort will promote staff buy-in. Guard against complicating the process: keep risk-based thinking simple and concise. Remember, this is an “evergreen” activity.  CONTINUOUS IMPROVEMENT The “new” concept of risk-based thinking is actually not new at all. The laboratory community implemented it under ISO 17025:2005, which required policies for preventive actions, corrective actions, trend analysis, customer complaints, and management reviews. We’ve been conducting risk-based thinking all along; we just didn’t have a name for our activities. Formalizing the process is all about continuous improvement of the business operation: getting better, more efficient and effective, and more competitive in the marketplace.    BOB LIECKFIELD, JR., CIH, FAIHA, is a senior consultant, HSE Division at Apex Companies, LLC. Send feedback to The Synergist.

tifonimages/Getty Images
How to Apply Risk-Based Thinking in Laboratories
PURE Management
Although the print version of The Synergist indicated The IAQ Investigator's Guide, 3rd edition, was already published, it isn't quite ready yet. We will be sure to let readers know when the Guide is available for purchase in the AIHA Marketplace.
My apologies for the error.
- Ed Rutkowski, Synergist editor
Disadvantages of being unacclimatized:
  • Readily show signs of heat stress when exposed to hot environments.
  • Difficulty replacing all of the water lost in sweat.
  • Failure to replace the water lost will slow or prevent acclimatization.
Benefits of acclimatization:
  • Increased sweating efficiency (earlier onset of sweating, greater sweat production, and reduced electrolyte loss in sweat).
  • Stabilization of the circulation.
  • Work is performed with lower core temperature and heart rate.
  • Increased skin blood flow at a given core temperature.
Acclimatization plan:
  • Gradually increase exposure time in hot environmental conditions over a period of 7 to 14 days.
  • For new workers, the schedule should be no more than 20% of the usual duration of work in the hot environment on day 1 and a no more than 20% increase on each additional day.
  • For workers who have had previous experience with the job, the acclimatization regimen should be no more than 50% of the usual duration of work in the hot environment on day 1, 60% on day 2, 80% on day 3, and 100% on day 4.
  • The time required for non–physically fit individuals to develop acclimatization is about 50% greater than for the physically fit.
Level of acclimatization:
  • Relative to the initial level of physical fitness and the total heat stress experienced by the individual.
Maintaining acclimatization:
  • Can be maintained for a few days of non-heat exposure.
  • Absence from work in the heat for a week or more results in a significant loss in the beneficial adaptations leading to an increase likelihood of acute dehydration, illness, or fatigue.
  • Can be regained in 2 to 3 days upon return to a hot job.
  • Appears to be better maintained by those who are physically fit.
  • Seasonal shifts in temperatures may result in difficulties.
  • Working in hot, humid environments provides adaptive benefits that also apply in hot, desert environments, and vice versa.
  • Air conditioning will not affect acclimatization.
Acclimatization in Workers