Issue 18 – Clause 6.1: Actions to Address Risks and Opportunities
Clause 6.1: Actions to Address Risks and Opportunities
What’s new in Clause 6.1?… In our last Newsletter (ISO 9001:2015 Newsletter Issue 17) we discussed the topic of “roles, responsibilities and authorities”, and now here in Clause 6.1 we address the area of “risks and opportunities”.
Note A: This Clause does NOT include a requirement for “documented information”.
Note B: The content for these Newsletters comes from working in the field with my Clients, and with their ISO Certification Bodies. I gain a lot of hands-on experience from conducting numerous gap audits, where the requirements of the Standard have to be interpreted and applied to each unique situation. Combining a Gap Audit with ISO 9001 Essentials Training, has become our most popular request from our Newsletter readers (…more details on this, as well as other training, can be found below).
The new numbering format…
Element 4 – Context of the organization
Element 5 – Leadership
Element 6 – Planning
Element 7 – Support
Element 8 – Operation
Element 9 – Performance evaluation
Element 10 – Improvement
Clause 6.1 Actions to Address Risks and Opportunities consists of two (2) Sub-Clauses as listed below:
6.1.1 [no title] When planning for the quality management system…
6.1.2 [no title] The organization shall plan…
Sub-Clause 6.1.1 – This sub-clause asks you to refer back to the issues in Clause 4.1 (Understanding the Organization and its Context) and the requirements in Clause 4.2 (Understanding the Needs and Expectations of Interested Parties) as part of your “planning” process, and then continues on to explain why you need to address risks and opportunities, in sub-clause 6.1.1 parts [a] through [d].
Let’s take a moment and talk about “risk”… I continue to see discussions (lots and lots of discussion) in online forums debating the terms “risk” and “risk-based thinking”, what they mean and what can be shown to an auditor as objective evidence.
Let’s begin with some words taken directly from the ISO 9001:2015 Standard…
From Annex A.4: “One of the key purposes of a quality management system is to act as a preventive tool. Consequently, this International Standard does not have a separate clause or subclause on preventive action. The concept of preventive action is expressed through the use of risk-based thinking in formulating quality management system requirements.”
Also, here are some additional facts derived directly from the ISO 9001:2015 Standard…
Other than Clause 5.1.1 d), there are NO other “shall” requirements for risk-based thinking in the ISO 9001:2015 Standard. Not one other “shall”… period… and Clause 5.1.1 d) simply asks top management to promote the use of risk-based thinking… that’s it “promote the use”… and NO documented information is required.
Let me continue…
The single word “risk” (not risk-based thinking) shows up in only eight (8) sentences as a requirement, but not one of these areas ask for “documented information”, which means verbal-only evidence will have to be acceptable to an auditor.
Let me summarize then by saying that this new ISO 9001:2015 Standard has eliminated the Preventive Action clause and replaced it with a concept called “risk-based thinking”. I say “concept” because there is no teeth to it, no requirements exist other than to promote the concept within the organization, and no requirement to show documented proof that you have implemented “risk-based thinking” (even the old Preventive Action clause required a controlled record to be kept!).
As an ISO 9001 Auditor, I fully recognize the predicament this places the Auditor in, and two words come to mind, “flexible and open-minded”, because that’s what it will take to assess whether an organization has complied.
As an ISO 9001 Trainer/Consultant, my advice is to begin by understanding how your organization currently deals with risks and opportunities, as an ongoing business issue (i.e. business or strategic planning). Resist the urge to implement some new process or activity since it will likely not last if the business process owners don’t see inherent value in doing it, year after year, after year. If your organization has weak business planning practices then look to your existing Quality Management System (QMS) since it primarily functions as a “risk” mitigating tool. Keep in mind that your QMS also has ways of uncovering “opportunities” as well.
I recommend that once you’ve decided how you will address the terms “risk”, “risk-based thinking” and “opportunities”, then document your interpretation of these words within your Quality Manual. This is a good way to guide the Auditor (Internal or External) on how your organization has chosen to address these topics, and doing so should help prevent future disputes during subsequent audits of your QMS.
Sub-Clause 6.1.2 – This sub-clause asks you to [a] “plan” actions for risks & opportunities, and [b] “plan” how you will weave these actions into your QMS (and then “plan” how to check whether these actions worked). They finish off in the last sentence reminding you that it is completely your decision on how big or how small these actions will be.
Depending on what you discovered when you investigated how your business currently handles risks and opportunities, will dictate how you address the requirements within sub-clause 6.1.2. If you have a Strategic Plan, or a Business Plan, and/or a SWOT Analysis (ISO 9001:2015 Newsletter Issue 4), then make reference to that activity within your Quality Manual. Otherwise, follow my advice above about using your existing QMS as your risk & opportunity tool.
Finally, they’ve also added a couple of “NOTES” at the end which attempt to clarify the words in this Clause, and although they are nice sounding words, they don’t really help much… and remember that a “NOTE” is not a requirement within the ISO 9001:2015 Standard.
Be sure to watch for our next Newsletter issue where we will cover another section of ISO 9001:2015…
PS: Don’t forget to look at the Q&A section below for some final thoughts…
To view all of our past Newsletters or to sign up to receive them… click here
This combines the ISO 9001:2015 Essentials Session with a Gap Audit – This approach is used to assist organizations in launching their transition efforts for this new ISO Standard. This event accomplishes two things: a) it provides education on the new ISO 9001:2015 Standard for your key personnel (i.e. internal auditors; etc.), by highlighting the differences from the 2008 version; and b) assesses the gap from where you are today to where you need to be to achieve compliance to this new ISO Standard. Training certificates covering education on the new ISO 9001:2015 Standard, as well as issuing of a Gap Audit Report for distribution to your Top Management, are the two deliverables from this event. On a final note, a closing meeting can be arranged with key individuals so they can hear first hand the results of the Gap Audit that was performed. PS: We’ve also done this session with just the QMS Management Rep attending, which allowed them to quickly get up to speed on this new Standard, as well as to see how much of an effort the transition will be… and of course they receive their own Training Certificate as part of this event. This also allowed them to avoid traveling offsite to get the training they needed anyways, as evidence for their Certification Bodies.
The two (2) day Internal Process Auditing for ISO 9001:2015 Session (also covers requirements in ISO 19011) is focused on a process approach to auditing with the objective being not only to assess conformance of the quality management system, but also to uncover process improvements during an audit. This goes hand in hand with the process auditing requirements found within ISO 19011 and the process approach covered in ISO 9001:2015, which promotes continual process improvement throughout this Standard. An enhanced checklist is developed, and there will be workshops throughout, to reinforce learning, as well as a live, practice audit. If you are looking to meet the ISO 9001:2015 internal audit requirements and to “raise the bar” for your internal audit program then this is the course you should consider.
Q: How do you perform a gap audit for Clause 6.1 of ISO 9001:2015?
A: For Clause 6.1, a Gap Audit checklist should cover these areas:
– How does the organization currently address risks & opportunities in their business? Ask this question during interviews with the management team as a group, or individually.
– How does the organization take into account the “internal and external issues” when addressing risk & opportunities (ref: ISO 9001:2015, Clause 4.1)?
– How does the organization take into account the requirements of “interested parties” when addressing risk & opportunities (ref: ISO 9001:2015, Clause 4.2)?
– How does the organization take into account the requirements stated within Clause 6.1 a) through d), when addressing risk & opportunities?
– Has the organization planned the actions needed to address these risks & opportunities? Examples?
– Has the organization planned how to integrate these actions into its QMS processes (ref: ISO 9001:2015, Clause 4.4)?
– Has the organization planned how to evaluate the effectiveness of these actions?
– Are the actions taken, proportional to the potential impact on the conformity of the organization’s products and services? Examples?
(Make sure to interview more than one person and obtain examples for the items listed above)
Until next time…
Helping Business Professionals Reduce Risk and Remove Waste!