Improving Operational Quality: The Role of Qualitative Risk Assessment

Risks are naturally associated with manufacturing and industrial operations. In 2020 alone, private industry employers reported 2.7 million nonfatal workplace injuries, according to the U.S. Bureau of Labor Statistics. For QA Managers and Quality Engineers operating under standards such as ISO 9001, IATF 16949, and VDA 6.3, systematically identifying and mitigating these risks is not optional. In fact, it is a foundational requirement for maintaining compliance and protecting operational performance.

ISO 9001 Clause 6.1 establishes risk-based thinking as a core principle of quality management. Specifically, it requires organizations to determine risks and opportunities that could affect conformity of products and services. To meet this requirement, organizations often conduct quantitative risk assessments. These assessments leverage data about existing processes and procedures to pinpoint potential problems. They also track key performance indicators such as non-conformance rates and cost of poor quality (COPQ).

However, quantitative risk evaluations only tell half the story on their own. When paired with qualitative risk assessments of employees’ risk perception, companies can both boost staff safety and reduce overall risk. As a result, they improve first pass yield (FPY), audit completion rates, and long-term compliance posture. Here’s how.

What is a Qualitative Risk Assessment?

A qualitative risk assessment focuses on employees’ perception of risk around specific activities or expectations. In turn, discussions with multiple employees allow companies to “score” risks based on both perceived severity and likelihood. Notably, this approach closely aligns with the severity and occurrence ratings used in Failure Mode and Effects Analysis (FMEA).

The goal of a qualitative risk assessment is to create rating scales of potential risks based on actual user experience. Additionally, it aims to develop comprehensive risk management strategies. Notably, when many employees share the same experience, the risk is likely universal. Furthermore, widespread worry about the severity of a risk indicates that it’s not simply an inconvenience. Left unchecked, it could derail operational performance and drive up non-conformance rates.

For QA Managers and Plant Managers, qualitative risk assessments provide critical frontline insight. In particular, they complement the data-driven outputs of internal and supplier audits conducted under ISO 9001, IATF 16949, or VDA 6.3 frameworks.

Qualitative vs Quantitative Risk Assessment

A qualitative risk assessment focuses on perception, while a quantitative risk analysis leverages data to determine overall risk. For example, a quantitative assessment might use data about machine failure rates per hour to determine the probability of production stoppages. In contrast, a qualitative assessment would ask employees about their perceived experience with the same machine.

Quality Engineers often use both approaches in tandem when building a quality risk assessment matrix. The quantitative side feeds KPIs like COPQ and FPY. Meanwhile, the qualitative side captures process knowledge that might not appear in audit data alone. Therefore, if both assessments indicate a high probability of risk, it’s worth investigating and remediating the concern.

The key differences between these approaches include:

• Qualitative: Captures subjective severity and likelihood ratings from frontline staff, similar to FMEA risk priority scoring
• Quantitative: Uses measured data such as defect rates, machine MTBF, and statistical process control outputs
• Combined: Produces a comprehensive risk matrix that satisfies ISO 9001 Clause 6.1 risk-based thinking requirements

When Should These Assessments be Used?

Organizations often use qualitative risk assessments at the start of new projects or during process planning phases. Specifically, the purpose is to create a list of risks that could undermine overall performance. By providing staff with information about key project deadlines, deliverables, and required processes, QA Managers and Plant Managers can gain valuable feedback. Consequently, this helps prioritize resource allocation to deliver reduced risk and improved audit readiness.

Consider a project that involves the manufacture, packaging, and shipping of specific goods. A qualitative risk analysis process might reveal widespread concern around certain aspects of the packaging process. For instance, employees may cite inadequate space, high complexity, and low margin for error. As a result, these factors could lead to both production line backups and potential injury. Armed with this information, project managers can allocate resources to address the issue before the project starts. As a result, they proactively reduce non-conformance rates and protect first pass yield.

Quantitative assessments, meanwhile, might show high failure rates for a specific piece of machinery on the production line. Notably, team members may not have mentioned this issue during qualitative assessments. The failure is easily corrected with stopgap processes and functional know-how. However, the time it adds to the overall production run could derail project timelines. Therefore, it may be worth spending the money to fix the issue fully before the project starts in earnest.

For organizations subject to IATF 16949 or VDA 6.3, both types of assessment feed directly into supplier audit findings and corrective action planning. In other words, they are essential tools for maintaining certification and meeting customer-specific requirements.

Best Practices for Quantitative and Qualitative Risk Assessments

Quantitative and qualitative risk assessments have different outcomes. However, they share similar best practice methodologies for effective project risk management. Quality Engineers and QA Managers should follow a structured approach. Specifically, this approach should align with ISO 9001 Clause 6.1 and FMEA methodology:

Identify key risks

First, companies must identify key risks in the organization. For example, common strategies include the use of process safety audits, quality assurance audits, and supplier audits aligned with VDA 6.3 or IATF 16949 requirements. By using either in-house templates or those provided by audit management platforms, companies can streamline risk identification. Additionally, this approach allows auditors to focus their attention on key processes and policies while improving audit completion rates across all facilities.

Effective risk identification methods include:

• Conducting FMEA workshops to score severity, occurrence, and detection for each potential failure mode
• Performing process audits aligned with ISO 9001 or VDA 6.3 question catalogs
• Reviewing non-conformance data and COPQ trends to surface recurring quality risks
• Gathering frontline employee input through structured qualitative interviews

Classify risk impact

Next, companies must classify risk on an impact scale as low, medium, or high. Specifically, they base this classification on the likelihood of the risk occurring and its potential results. QA Managers commonly use a risk assessment matrix — similar to the severity-by-occurrence grid in FMEA — to visualize and prioritize risks. For example, consider a high-value, high-throughput piece of machinery that staff report as unreliable. Data shows it is due for replacement within the next year. Given both perceptive and practical risk information, it may be worth replacing the machine early. This avoids the potential impact of risks on project objectives and non-conformance rates.

Develop risk response

Once the team classifies risks, companies must prioritize those defined as high risk. Subsequently, they develop risk responses for each one before moving to medium and finally low-risk operations. This mirrors the corrective and preventive action (CAPA) workflow familiar to Quality Engineers working under ISO 9001 or IATF 16949. Low-risk concerns may not receive attention for weeks — or months. However, having a plan in place allows businesses to see how far they’ve come. Moreover, it shows what they have left to do while demonstrating the documented risk-based thinking that auditors expect.

Regularly monitor these risks

Risks don’t simply vanish because they’ve been initially addressed. For this reason, it’s worth conducting qualitative and quantitative analysis at multiple stages. Conduct them at the beginning of a new project, at the midpoint, and when the project is completed. This helps evaluate risk change over time and determine if further process improvements are necessary. Additionally, tracking KPIs such as audit completion rates, non-conformance rates, FPY, and COPQ over each cycle provides Plant Managers with objective evidence. It shows that risk responses are working and gives Quality Engineers the data they need to update FMEA scores and risk matrices accordingly.

Quality and Quantity: The Best of Both Worlds

In isolation, qualitative and quantitative assessments only tell half the story. Specifically, one provides the perception of risk from workers’ perspective. The other provides clear data about potential failure rates. Using either type alone offers valuable information but is missing the larger context. Specifically, data indicating physical failures may be offset by staff knowledge. Similarly, employees’ perception of risk may not align with collected data.

Combining quality and quantity gives companies the big picture by creating a risk assessment matrix. Organizations can identify risks that are both worrisome to employees and backed up by collected data. As a result, they can effectively allocate resources to deal with critical concerns and help drive project success. Ultimately, this reduces COPQ, improves FPY, and strengthens compliance with ISO 9001, IATF 16949, and VDA 6.3.

Combine quality and quantity to reduce your risk with Certainty. Let’s get started.

Frequently Asked Questions (FAQs)

What is the difference between qualitative and quantitative risk assessment in quality management?

A qualitative risk assessment captures subjective input from employees and stakeholders about the perceived severity and likelihood of risks. This is similar to how teams assign FMEA scores during cross-functional workshops. In contrast, a quantitative risk assessment uses measured data such as defect rates, machine failure frequencies, and statistical process control outputs to calculate risk numerically. QA Managers and Quality Engineers get the most complete picture when they combine both approaches into a single risk assessment matrix. As a result, they satisfy the risk-based thinking requirements of ISO 9001 Clause 6.1.

How does ISO 9001 Clause 6.1 relate to qualitative risk assessment?

ISO 9001 Clause 6.1 requires organizations to determine risks and opportunities that need attention. The goal is ensuring the quality management system achieves its intended results. Qualitative risk assessment directly supports this requirement. Specifically, it systematically gathers frontline input on process risks. Teams then document these findings in risk registers and use them to plan preventive actions. For organizations also certified to IATF 16949, this information feeds into product safety and supplier management processes as well.

How do QA Managers use risk matrices to improve audit outcomes?

QA Managers use risk matrices to prioritize which processes, equipment, or suppliers pose the greatest threat to product quality and compliance. They plot likelihood against severity, drawing from both qualitative employee input and quantitative data. Consequently, they can focus audit resources on the highest-risk areas first. This targeted approach improves audit completion rates. It also reduces non-conformance findings during certification audits. Furthermore, it helps demonstrate continual improvement to ISO 9001 or VDA 6.3 auditors.

What role does FMEA play in quality risk assessment?

Failure Mode and Effects Analysis (FMEA) is one of the most widely used tools for quality risk assessment in manufacturing. It combines qualitative judgment — severity and detection ratings from cross-functional teams — with quantitative occurrence data. Together, these calculate a Risk Priority Number (RPN) for each potential failure mode. Plant Managers and Quality Engineers use FMEA outputs to prioritize corrective actions, reduce COPQ, and improve first pass yield. Therefore, it is a critical tool for meeting IATF 16949 and VDA 6.3 requirements.

Which KPIs should Quality Engineers track when monitoring risk assessment effectiveness?

Quality Engineers should track several key performance indicators to measure whether risk assessment and mitigation efforts are working. These include:

• Audit completion rates: Percentage of scheduled audits completed on time across all facilities and suppliers
• Non-conformance rates: Frequency and severity of non-conformances identified during internal and external audits
• First pass yield (FPY): Proportion of units passing inspection without rework, indicating process stability
• Cost of poor quality (COPQ): Total cost of scrap, rework, warranty claims, and other quality failures
• FMEA RPN trends: Changes in Risk Priority Numbers over time showing whether corrective actions are reducing risk

You may also be interested in:

Reduced Risk, Increased Resiliency: The Advantage of Supply Chain Management Tools

Solutions for Risk Assessments, Audits & Inspections