Issue 46 – Clause 6.1: Actions to address risks and opportunities
Clause 6.1: Actions to address risks and opportunities
What’s the intent of Clause 6.1?… In our last Newsletter (ISO 9001:2015 Newsletter Issue 45) we discussed the topic of “Roles, Responsibilities and Authorities”, and now here we move into the next Element called “Planning”, and in this first Clause we address “Risks & Opportunities”. The intent of Clause 6.1 is to have Top Management identify any risks, and any opportunities, that face the business, taking into account the context/purpose of their organization (Clause 4.1), as well as those parties that are interested (Clause 4.2) in how well the Quality Management System (QMS) performs.
Note A: This Clause DOES NOT include requirements for “documented information”.
Note B: In the event you were curious, the content for these Newsletters comes from working in the field with my Clients, and with their ISO Certification Bodies. I gain a lot of hands-on experience from conducting training workshops and gap audits, where the requirements of the Standard have to be interpreted and applied to each unique situation. A popular training request is our on-site Internal Process Auditor Training for ISO 9001:2015 since you will need to do a complete round of internal audits to the new Standard prior to your external upgrade audit. On that note, some organizations are opting to use an outside resource to assist with their internal audits in order to meet deadlines (…more details on this service, as well as the training sessions we offer, can be found below).
The new numbering format…
Element 4 – Context of the organization
Element 5 – Leadership
Element 6 – Planning
Element 7 – Support
Element 8 – Operation
Element 9 – Performance evaluation
Element 10 – Improvement
Clause 6.1 Actions to address risks and opportunities consists of two (2) Sub-Clauses as listed below:
6.1.1 [no title] When planning for the quality management system…
6.1.2 [no title] The organization shall plan…
Sub-Clause 6.1.1 – This sub-clause asks you to refer back to the issues in Clause 4.1 (Understanding the Organization and its Context) and the requirements in Clause 4.2 (Understanding the Needs and Expectations of Interested Parties) as part of your “planning” process, and then continues on to explain why you need to address risks and opportunities, in sub-clause 6.1.1 parts [a] through [d].
Let’s take a moment and talk about “risk”… I continue to hear ongoing discussions (lots and lots of discussions) in online forums debating the terms “risk” and “risk-based thinking”, what they mean, and what can be shown to an auditor as objective evidence.
Let’s begin with some words taken directly from the ISO 9001:2015 Standard…
From Annex A.4:
“One of the key purposes of a quality management system is to act as a preventive tool. Consequently, this International Standard does not have a separate clause or subclause on preventive action. The concept of preventive action is expressed through the use of risk-based thinking in formulating quality management system requirements.”
“Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process. Organizations can decide whether or not to develop a more extensive risk management methodology than is required by the ISO 9001:2015 International Standard, e.g. through the application of other guidance or standards.”
“Not all the processes of a quality management system represent the same level of risk in terms of the organization’s ability to meet its objectives, and the effects of uncertainty are not the same for all organizations. Under the requirements of 6.1 the organization is responsible for its application of risk-based thinking and the actions it takes to address risk, including whether or not to retain documented information as evidence of its determination of risks.”
The above paragraphs come directly from the ISO 9001:2015 document… it’s their words, not mine… I’ve simply bolded some phrases to bring attention to the message being sent… that being, it is completely up to each individual organization on how THEY decide to address risks & opportunities for THEIR business.
Also, here are some additional facts derived directly from the ISO 9001:2015 Standard…
Other than Clause 5.1.1 d), there are NO other “shall” requirements for risk-based thinking in the ISO 9001:2015 Standard. Not one other “shall”… period… and Clause 5.1.1 d) simply asks top management to promote the use of risk-based thinking… that’s it “promote the use”… and NO documented information is required.
Let me continue…
The single word “risk” (not risk-based thinking) shows up in only eight (8) sentences as a requirement, but NOT ONE of these 8 sentences ask for “documented information”, which means verbal-only evidence will have to be acceptable to an auditor.
NOTE – These 8 sentences can be found in the following sub-clauses: 4.4.1 f); 5.1.2 b); 6.1.1; 6.1.2 a); 6.1.2-last sentence; 9.1.3 e); 9.3.2 e); 10.2.1 e)
Let me summarize then by saying that this new ISO 9001:2015 Standard has eliminated the Preventive Action clause and replaced it with a concept called “risk-based thinking”. I say “concept” because there is no teeth to it, no requirements exist other than to promote the concept within the organization, and no requirement to show documented proof that you have implemented “risk-based thinking” (even the old Preventive Action clause required a controlled record to be kept!).
As an ISO 9001 Auditor, I fully recognize the predicament this places the Auditor in, and two words come to mind, “flexible” and “open-minded”, because that’s what it will take to assess whether an organization has complied.
As an ISO 9001 Trainer/Consultant, my advice is to begin by understanding how your organization currently deals with risks and opportunities, as an ongoing business issue (i.e. business or strategic planning). Resist the urge to implement some new process or activity since it will likely not last if the business process owners don’t see inherent value in doing it, year after year, after year. If your organization has weak business planning practices then look to your existing Quality Management System (QMS) since it primarily functions as a “risk” mitigating tool. Keep in mind that your current QMS also has ways of uncovering “opportunities” as well.
I recommend that once you’ve decided how you will address the terms “risk”, “risk-based thinking” and “opportunities”, then document your interpretation of these words within your Quality Manual. This is a good way to guide the Auditor (Internal or External) on how your organization has chosen to address these topics, and doing so should help prevent future disputes during audits of your QMS.
Sub-Clause 6.1.2 – This sub-clause asks you to [a] “plan” actions for risks & opportunities, and [b] “plan” how you will weave these actions into your QMS (and then “plan” how to check whether these actions worked). They finish off in the last sentence reminding you that it is completely your decision on how big or how small these actions will be.
Depending on what you discovered when you investigated how your business currently handles risks and opportunities, will dictate how you address the requirements within sub-clause 6.1.2. If you have a Strategic Plan, or a Business Plan, and/or a SWOT Analysis (ISO 9001:2015 Newsletter Issue 4), then make reference to that activity within your Quality Manual. Otherwise, follow my advice above about using your existing QMS as your risk & opportunity tool. Brainstorm a list of EXISTING methods/processes that address RISK, and another list that address OPPORTUNITIES. Make sure that whatever you list (such as Internal Audits – for both risk identification and discovering of opportunities) is already referenced in your current QMS, that the method causes “actions” to be taken, and that the method/actions are evaluated for effectiveness. Once these two lists are completed simply insert them into your Quality Manual and point to them any time an Auditor mentions the words “risks & opportunities”!
Finally, they’ve also added a couple of “NOTES” at the end which attempt to clarify the words in this Clause, and although they are nice sounding words, they don’t really help much… and remember that a “NOTE” is not a requirement within the ISO 9001:2015 Standard.
Be sure to watch for our next Newsletter issue where we will cover another section of ISO 9001:2015…
PS: Don’t forget to look at the Q&A section below for some final thoughts…
To view all of our past Newsletters or to sign up to receive them… click here
For cost effectiveness, the Internal Audit function can be outsourced to an external experienced auditor on a periodic basis. This will provide an independent and objective assessment to management, of where process issues may exist, along with identifying opportunities for improvement. It will also provide the evidence needed to satisfy the Internal Audit requirements in the ISO Standards. We have used two different approaches with this service: a) We conduct the entire audit ourselves, or b) We act as the lead auditor, and along with your Team of internal auditors, we complete the entire audit together. This latter approach allows your people to receive guidance and direction from an experienced lead auditor while at the same time maintaining significant involvement in the internal audit process.
This Documentation Development Training Workshop for ISO 9001:2015 Session is intended to be a very interactive, hands-on session (hence the name Workshop) where your QMS documentation will be created/revised, with guidance from an experienced facilitator. This type of session can help launch your transition efforts by getting a lot accomplished within a compressed time-frame. If your organization has already begun the re-write then this session can be used to validate what you’ve accomplished so far, or if you haven’t yet begun, it can be the catalyst to get things started (…which is usually the hardest part). Deciding how to move from your current QMS structure into a new one can be a daunting task and this session can help you navigate through it. A copy of a sample Quality Manual (re-iterating the “shall” requirements found within the ISO 9001:2015 Standard) will be provided to each participant. As always, our focus will be on how to develop a simplified and streamlined quality management system, that helps to drive improvement in your business.
The two (2) day Internal Process Auditing for ISO 9001:2015 Training Session is focused on a process approach to auditing with the objective being not only to assess conformance of the quality management system, but also to uncover process improvements during an audit. This goes hand in hand with the process auditing requirements found within ISO 19011 and the process approach covered in ISO 9001:2015, which promotes continual process improvement throughout this Standard. An enhanced checklist is developed, and there will be workshops throughout, to reinforce learning, as well as a live, practice audit. If you are looking to meet the ISO 9001:2015 internal audit requirements and to “raise the bar” for your internal audit program then this is the course you should consider.
This combines the ISO 9001:2015 Essentials Session with a Gap Audit – This approach is used to assist organizations in launching their transition efforts for this new ISO Standard. This event accomplishes two things: a) it provides education on the new ISO 9001:2015 Standard for your key personnel (i.e. internal auditors; etc.), by highlighting the differences from the 2008 version; and b) assesses the gap from where you are today to where you need to be to achieve compliance to this new ISO Standard. Training certificates covering education on the new ISO 9001:2015 Standard, as well as issuing of a Gap Audit Report for distribution to your Top Management, are the two deliverables from this event. On a final note, a closing meeting can be arranged with key individuals so they can hear first hand the results of the Gap Audit that was performed. PS: We’ve also done this session with just the QMS Management Rep attending, which allowed them to quickly get up to speed on this new Standard, as well as to see how much of an effort the transition will be… and of course they receive their own Training Certificate as part of this event. This also allowed them to avoid traveling offsite to get the training they needed anyways, as evidence for their Certification Bodies.
Q: How do you perform an audit for Clause 6.1 of ISO 9001:2015?
A: For Clause 6.1, an Audit Checklist should cover these areas:
– How does the organization currently address risks & opportunities in their business? Ask this question during interviews with the management team as a group, or individually.
– How does the organization take into account the “internal and external issues” when addressing risk & opportunities (ref: ISO 9001:2015, Clause 4.1)?
– How does the organization take into account the requirements of “interested parties” when addressing risk & opportunities (ref: ISO 9001:2015, Clause 4.2)?
– How does the organization take into account the requirements stated within Clause 6.1 a) through d), when addressing risk & opportunities?
– Has the organization planned the actions needed to address these risks & opportunities? Examples?
– Has the organization planned how to integrate these actions into its QMS processes (ref: ISO 9001:2015, Clause 4.4)?
– Has the organization planned how to evaluate the effectiveness of these actions?
– Are the actions taken, proportional to the potential impact on the conformity of the organization’s products and services? Examples?
(Make sure to interview more than one person and obtain examples for the items listed above)
Until next time…
Helping Business Professionals Reduce Risk and Remove Waste!